Chicago

Dr. Ron Ross, a living legend in cybersecurity and one of the most influential architects of our nation’s cyber defense frameworks, joins us in-person for an extraordinary keynote conversation not to be missed. With decades of pioneering work at NIST, including authoring landmark initiatives like the Risk Management Framework and the NIST Systems Security Engineering Guidelines, Dr. Ross brings unmatched insight into the future of cybersecurity. This powerful session—moderated by Parham Eftekhari, EVP at CRA Communities—will explore the most urgent priorities and transformative strategies needed to ignite meaningful change in our cyber posture. Dr. Ross will also share freely available tools and resources designed to empower practitioners across sectors. Don’t miss this rare opportunity to engage with one of cybersecurity’s most visionary leaders.

Key Topics:

• Building and managing effective incident response plans.
• Detecting and mitigating cyber and physical threats.
• Using real-time data and intelligence for decision-making.

Why It Matters:
Security managers often handle tactical responses. Understanding effective response strategies ensures timely containment and resolution of incidents.

Threat actors are increasingly targeting development pipelines in order to launch software supply chain attacks that have massive downstream impacts. These attacks are successful — the Snowflake breach of 2024 in which an attacker extorted $2.7 million out of customers is proof they work. Governments across the globe have also taken note of this threat, with SBOM mandates and regulations like the Cyber Resilience Act in Europe aiming to mitigate the risks. Open source malware, another name for a malicious open source package, is proliferating — Sonatype alone has observed more than 778,500 pieces of open source malware since 2019, representing more than 200% growth year-over-year. Attendees will learn about the most prominent types of open source malware including discoveries over the past year, what attributes differentiate open source malware from traditional malware and vulnerabilities, best practices for defending against open source malware, and how the attack vector will evolve in 2025. Join this talk to learn more about: How and why threat actors are focusing efforts on infiltrating software development via open source Differentiating attributes between open source malware and traditional malware The most prominent types of open source malware impacting enterprises today, as well as how enter development pipelines Best practices for SBOM management and securing the software development lifecycle against open source malware

Data security has been around for decades, and yet, it still feels like an unsolvable puzzle. Legacy technologies are typically resource-intensive, find just a small portion of companies’ sensitive data, and produce a ton of false positives. The impact to operations is often so significant that businesses never move their DLP out of monitoring mode. Attend our session to learn: • Why traditional approaches to data security have failed • How AI and context are revolutionizing data security • Where to maximize the value of your existing security investments • What you can do to secure your Gen AI rollouts With the right strategy and technology, you can transform your data from a liability to a well-managed asset.

Key Topics:

• Ransomware, phishing, and advanced persistent threats (APTs).
• Optimizing operations and improving security through Orchestration and Automation.
• Understanding the impact of AI and IoT on security vulnerabilities.

Why It Matters:
Staying informed about the latest threats helps leaders anticipate and prepare for risks that can disrupt operations.

In today’s rapidly evolving digital landscape, organizations are struggling with diverse methods of interaction with employees, customers, and partners through a multitude of technologies. This complexity often leads to a lack of control over Identity and Access Management (IAM), leaving organizations vulnerable to security threats and compliance issues. The cost of ignoring the risk can haunt you for years; however, you cannot correct what you don’t know, so the first steps are assessing whether your organization is positioned for a successful implementation, migration, or fix and validating that the organization is focused on the right path and issue they are looking to mitigate. Join us as we demonstrate a proven, 3-stage IAM Strategic Assessment model that is NIST compliance driven, answering the “what, where, when, why, and how” surrounding both Workforce Identity & Access Management and Customer Identity & Access Management (CIAM) programs, projects, and operations.

Hear from the women shaping the future of cybersecurity. This executive panel features trailblazing female cybersecurity leaders who are not only securing global enterprises and critical infrastructure, but also redefining what leadership looks like in the industry. In a candid, high-impact discussion, panelists will share lessons from the front lines—navigating complex threats, building high-performing teams, and breaking barriers in a traditionally male-dominated field. Attendees will gain executive-level insights into how diverse leadership drives stronger outcomes, how to build more inclusive cultures from the top down, and why supporting women in cyber isn’t just good optics—it’s smart strategy.

Rapid changes in public‑key infrastructure are reshaping operational and compliance expectations. By 15 March 2026 the CA/B Forum will reduce the maximum validity of publicly trusted TLS certificates to 200 days, with a roadmap to 47 days by 2029. Google has announced removal of the ClientAuth EKU from browser‑trusted certificates. Recent events—including Entrust’s browser distrust and DigiCert’s emergency revocation of 84 000 certificates—demonstrate the scale of disruption when certificates must be replaced at short notice. In parallel, NIST formally approved its first post‑quantum algorithms on 13 August 2024, signaling the start of industry migration toward quantum‑resistant cryptography. This briefing provides security architects, product owners, and operations teams with a concise action plan for the next three years: Certificate Lifetime Reduction – implications of 47‑day validity periods and how end‑to‑end automation (ACME/EST issuance, delegated DNS‑01 or HTTP‑01 domain validation, stapled OCSP, and scheduled revocation tests) sustains availability. Managing Mass Revocations – analysis of recent CA incidents, readiness metrics to track, blast‑radius containment strategies, and effective stakeholder communication. Transition to Quantum‑Safe Cryptography – practical steps for introducing hybrid X.509 certificates, rotating keys within HSMs, and deploying NIST‑approved algorithms (Dilithium, Falcon, SPHINCS+) alongside existing elliptic‑curve and RSA deployments. Attendees will gain a clear understanding of the operational, security, and business consequences of these developments, together with pragmatic measures that can be incorporated into 2025–2027 plans. The session emphasizes fact‑based guidance and proven practices suitable for organizations of all sizes.

In this Presentation, John will discuss how new threats against critical infrastructure in the US are emerging and why solutions to combat them must keep pace. He will also explore the importance of public/private partnerships for critical infrastructure security stakeholders and why they need to rethink their approach to fostering collaboration. John will also outline how these partnerships can help organizations to future-proof their security and keep America running smoothly.