May 26, 10:40-11:30

Zero Trust in a Post-Truth World: Defending Against Misinformation & Cyber Threats

In an era where misinformation spreads faster than truth and trust is constantly exploited, traditional security models are no longer sufficient. The Zero Trust framework—built on the principle of "never trust, always verify"—offers a resilient approach to securing organizations against evolving cyber threats.

This session explores how misinformation campaigns, social engineering, and insider threats challenge conventional security postures, making Zero Trust not just a strategy but a necessity. Attendees will gain insights into the core principles of Zero Trust, real-world case studies of its implementation, and practical steps to build a security-first culture within their organizations.

Join me in navigating the misinformation minefield and uncovering how Zero Trust can be the key to defending against cyber deception in today’s digital age.

May 26, 11:40-12:30

When All Else Fails: Recovery, Resilience, and the Power of Adaptability

Prevention isn’t 100% effective — and never will be. That’s why cyber resilience, and specifically the ability to recover quickly and confidently, is essential to ensuring your organization never suffers a business-ending event. Recovery is the last — and most critical — line of defense.

Zero Trust doesn’t end with identity or network controls — it must extend to how your organization protects and recovers data. In today’s evolving threat landscape, true cyber resilience means assuming breach and ensuring you can recover — cleanly, quickly, and without being locked into a single vendor ecosystem. This session explores why open, portable, and immutable backups are essential to maintaining flexibility, and how to align recovery strategies with least-privilege access, clean-room testing, and Zero Trust principles.

Join cybersecurity veterans Derran Guinan and Jeremy Carr as they present on cyber resiliency, modern recovery strategies, and debate the merits of software-defined architectures versus closed, all-in-one solutions. Walk away with practical guidance and a fresh perspective on how to strengthen your organization’s ability to bounce back — no matter what.

May 26, 1:30-1:50

KEYNOTE: One Community, Many Voices: Advancing Cybersecurity Through Collaboration

One Community, Many Voices” means that while we are united by a common mission, to protect our digital assets, we each bring unique perspectives and skills that strengthen our collective defense. Whether you're writing policy or code, your voice matters. Cybersecurity isn’t the job of one team or one title, it’s a shared mission. As threats become more complex and fast-moving, the strongest defenses come from collaboration across disciplines. That’s why, for the first time, BSides has launched a GRC (Governance, Risk, and Compliance) track to recognize the critical role that GRC professionals, risk leaders, and policy makers play in protecting what matters most.  Let’s explore how developers, auditors, security engineers, and GRC teams can work together to tackle real-world challenges, from securing applications to managing third-party risk and responding to zero-day threats. By breaking down silos and elevating new voices leads to smarter decisions, faster responses, and security that works.

May 26, 2:00-2:50

How to Avoid Potholes When Scaling Your Application Security Program

Have you ever wondered what it is like to build an Application Security program at a very large organization? Or an organization that had experienced hyper-growth and the security team’s growth was not at the same pace as Engineering? What about an organization that had acquired a lot of different companies with vastly different tech stacks?

This talk will go through where you need to focus your energy to build a scaled Application Security program and how to avoid pitfalls along the way. It will deep dive into topics such as:

• The different levels of maturities for Application Security programs

• How to hire the right individuals for a scaled program

• How to best leverage your tools to bring out the value of them

• And how to build a democratized vulnerability management program, so that Engineering is responsible for vulnerabilities 

May 26, 3:00-3:20

A Methodology for Quantifying Cyber Risk: The 'R' in the GRC Most are Still Struggling to Define

One recurring challenge I’ve seen as a cybersecurity consultant across organizations of all sizes is that “risk” is still treated as an abstract concept rather than a measurable input to decision-making; even the GRC tooling out there today is still not quite hitting the mark. Security programs often begin by adopting a control framework such as NIST CSF, ISO 27001, CIS, etc. and pursue coverage without a clear understanding of which controls align with the organization’s actual risk exposure or their risk tolerance.

In this session, we’ll cut through the ambiguity surrounding risk in cybersecurity governance by demonstrating a practical approach to quantifying risk that works no matter which framework you adopt. We’ll examine how to move beyond checklist-based compliance by using concepts like asset types and inherent impact to establish a baseline for risk-informed control selection. We'll also show how this method covers a common blind spot: how to determine what “enough” security looks like, avoiding both over-engineering and under-protection.

Finally, we’ll look at why well-executed GRC efforts often go unnoticed—and how to communicate the value of controls and risk reduction even when no incidents occur and its value is hidden.

If you're looking to mature your risk management practices, operationalize security as a business function, or refine how to quantify cyber risk, this session will give you a grounded and practical model to build from.

May 26, 3:30-3:50

Lets be Honest About Vendor Risk Management: Achieving Real Resilience in Vendor Engagements

Lengthy questionnaires and “rubber stamp” approvals give vendor risk management a bad reputation. And frankly, they seldom mitigate risk. In this presentation, I will aim to challenge the prevailing approach to vendor risk management and suggest an alternative methodology that puts vendor engagements in context and mitigates real risk through informed recommendations and partnerships with both business owners and vendors. 

The methodology sounds simple: spend time where impact is material, understand how the business will use the vendor, and assume breach. With this context, we can then work with the both the vendor and the business to identify ways to a) reduce the impact of a breach b) lower the likelihood of compromised data and c) build resilience into key third party engagements.

May 26, 4:00-4:20

Beyond Algorithms: Human Reasoning in Cybersecurity Compliance

As the Director of Cybersecurity Services at D3 Security, I talk to MSSPs and SOC teams every day about how they automate and orchestrate their way through complex security challenges. MSSPs represent an interesting and unique market, in that they cater to a wide variety of clients, each with unique security needs, and operate on an expansive scale. This introduces both opportunities and challenges when it comes to automating security operations.

In this session, I'll talk about:

How MSSPs are using automation to manage increasingly large volumes of security alerts through playbooks and integrations.

How MSSPs deliver services, often in ways that aren't visible to end users but are critical to ensuring secure operations

How SOAR helps MSSPs improve incident response by automating repetitive tasks, such as threat detection, analysis, and response.

How effective automation can translate into faster Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), as well as best practices for MSSP automation.

How AI can assist MSSPs in threat hunting and incident response, and how AI helps MSSPs easily scale operations.

May 26, 4:30-5:20

From Evidence to Assurance: A Framework for Cybersecurity Through Structured Doubt

Cybersecurity assurance remains a significant challenge for organizations, due to its resource-intensive nature and complexity. While existing standards and checklists provide valuable guidance, they are predominantly employed to audit a company’s cybersecurity practices at a given point in time. A major limitation with these methods is that they are generally static; they lack mechanisms for doubting an organization’s current approach to managing cybersecurity risk, which can help identify hidden vulnerabilities and foster continuous improvement. Furthermore, checklists or questionnaires often fail to explain why a specific mitigation strategy or artifact is important to the underlying security objectives, which can lead to confusion and miscommunication. In this presentation, we propose a framework that combines the benefits of these template resources with the Eliminative Argumentation (EA) methodology to offer a more dynamic approach to cybersecurity assurance. The framework generates a hierarchical model, where active cybersecurity mitigations are presented as evidence linked to source documentation, which facilitates traceability to requirements, security goals, and existing measures. Additionally, defeaters (or doubts) are incorporated to challenge a given cybersecurity posture against potential attack paths or vulnerabilities. This not only tests the robustness of cybersecurity measures but also enables the identification of further weaknesses or security gaps. Ultimately, our framework provides a practical, systematic approach to strengthening cybersecurity while ensuring continuous validation and improvement within a live model.