Bounce Back Better: Innovate with Resilience!

[Music] Good morning everyone. Uh thank you very much for joining in today Monday morning. Uh we had a very good session with Michael who is from town. So that was great. Uh my name is Mashid Ahmed. I will be MC for this morning's session. Uh there are a number of other sessions happening in parallel. So you know you have an option to go and check those sessions as well. So now without further ado we will have a panel discussion here on the topic topic of bounce back better innovate with resilience. Resilience is one of my favorite words because it tells me that I can come back after any setback. Right? So it's very important for us as a security professional to

understand and build a resilience in ourself so that we can come back after any unforeseen event. So with that I would like to welcome the panel on the floor. Um and I'm not going to introduce themselves in detail. Dr. Clear will be introducing themselves. So that's a little bit of a hype I would like to create here. Uh first we have uh Florence Johnson. Hey, thank you. Um then we have Julia Beck. You uh we have Kim Crochell and Michelle Denier and Tola Jima. And last but not least, our panel host today is Dr. Cleo. Thank you everyone. Welcome.

I'm Dr. Cleong Shonga and I'll be moderating this panel on the topic bounce back better innovate with resilience. We have a big panel today. So we respectfully request that you hold any questions you have until the end of our session. If it turns out that we do have enough time for questions, um all of the panel uh we do not have enough time for questions. All of the panelists are happy to answer the questions um in the crowd. They say the hand that rocks the credor rules the world and it's true. Think of the animal kingdom from the queen bee commanding the hive to the lioness guiding her pride. Nature itself reminds us of the strength

and leadership of women. I once remarked to my husband that perhaps there's a glitch in humankind because the evidence is everywhere. Women are lifegivers. The one who nature build and hold things together when it matters the most. And that is resilience. the quiet power that allows us not just to survive, but to rise strong, bolder, and more determined. Today, women still only represent about 25% of the cyber security workforce, but their impact is undeniable. They play an outsized role in some of the critical areas like governance which forms the pillar of sound cyber security, architecture which defines and protects our security boundaries and incident response which brings order to chaos restoring trust and resilience. When a bridge hits, when systems

collapse, when chaos threatens, women are often at the forefront, bringing fresh perspectives, new ways of thinking, and approaches that turn crisis into opportunities for renewal. Today, this incredible panel of women will show you exactly that. So without further ado, let me invite these remarkable women to introduce themselves. Ladies, I'm going to ask you to introduce yourselves with a twist. I would like to ask that when you introduce yourself, you finish your intro with I bounce back with uh and I still do this today. Go ahead. All right. Good morning, everyone. My name is Michelle Denway and I have the privilege of being the director of IT security and risk management at Alberta Pension Services and leading a

multi-program team of incredibly bright and uh dedicated professionals. I'd also like to mention um to to for bides we actually have 12 altogether from Alberta pensions uh represented here today including another director some managers cyber security identity and access management developers IT operations and internal audit. So a really good showing today. Uh to answer the bounce back question and this will go to even to Michael's comment around challenging the status quo. I bounce back by rejecting the age-old notion that incident responders have to be fully on for the entirety of an incident response. And what I still do is make sure that it's fully understood that these people need rest breaks, real rest breaks, and that

otherwise they are going to become unwell and unhappy zombies who can no longer perform uh functionally perform properly and and may may make may make mistakes. Thank you, Michelle. >> Good morning. My name's Julie Babia. I work for Alberta Pension Services as well. I run uh my role is IT security and risk management. Um I'd like to just say Michael set us up really well. It's like he watched what we had in our paper and has uh given us an insight into where we're going today. I want to say that I bounce back by documenting incident and disasters and I still believe that transparency beats perfection every time. >> Thank you, Julie. Hello everyone. Very good morning. Uh my

name is Florence Johnson. I am an security architect from uh Canadian National Railways um specializing in identity security. I've been in the industry for the past 15 years and I wanted to say that I am the only female security architect in my team out of the 15 or 20 other architects. So I have a big voice in my organization. So, uh, what I would say is, um, I bounce back better by learning to slow down and pause with intention and I try to, uh, fix the process, not people. People can't be fixed. So, but processes can be, right? So, get down to the roots and fix the process. People will eventually follow that. And what I'm continuing to do today is

to always assume positive intent. Uh to stay curious and not to jump into conclusions or assumption, but rather than stay curious and get to understand the other side of the world. Thank you.

>> Um hi, my name is Kim Kell. I uh co-founded a company called Treefort Identity Verification. We are a national company now and I I'm proud to say we are Edmontonbased. So um in our company I co-founded it with my husband Jay and uh we ended up doing an acquisition deal with a large title insurance company. So that's how we got national so quickly. But uh in my role I've worn many hats. Uh my role today is I head up information security which is a real passion for me as well as HR. And my bounce back better is I have I'm older and as I get older I find to stay focused I have to drink a lot of coffee.

I don't know how many of you have to but I do. So I uh do better when I'm drinking coffee and I'd like to say today I'm trying to reduce that. So I'm trying to go with one caffeinated beverage per morning. Um, and when it comes to incident response, you're when you're juiced up on coffee, oftentimes you need to calm down and you need to focus and you need to get your team to be calm. So, I am focused and working on that there. >> Hi everyone. I'm super excited to be here. My name is Tola Jima and I'm the founder and CESO at Cyber Strategy Consulting. Um, happy to say that we're based out of Calgary. So, I've come from

the very beautiful city of Calgary to be here at Bites today. Kind of like Kim in my role. I feel like I wear too many hats. Uh, information security is definitely a passion. I feel like you can't be or thrive in this field if you didn't really like what you did. Um, and in this field, I've had the pleasure of working across various verticals and disciplines. um right now focused on cloud security. Um I deal a lot with regulators, auditors um and so I'm in everything around the GRC um area and I am privileged to work with a team of incredible focused individuals who really put their heart into what they do. Um which I I would say is also

reflected in this room with the beautiful faces I see here. Um, my bounceback statement is I bounce back after I've had some time in the wild. Not necessarily facing or chasing bears, but just going out into nature because I believe that the work that we do is incredibly tasking. And so, it is important to take some time out to recharge, whatever that means to you. And that's one thing I feel like we don't always get the chance to do. So I am intentional about going out into nature which is my major recharge um source and kind of like um one of the other speakers had said I still try to encourage the teams because that's also

something that I find that is lacking. So I try to encourage my teams I see someone with a puppet here that's the kind of thing I will take to a meeting just to keep everybody bright and smiley. So thank you. Thank you. [Applause] Thank you ladies. What a way to kick off the session. I think we can all relate in all of us in cyber security can relate to the fact that there's always a lot of pressure um about when we think about the latest cyber security threats or any other threats that might come up. Uh so there are non-threats that we already are aware of that we take care of. But what about the unknown threats,

Michelle? How do you prepare for the unknown unknowns? The threats that we haven't imagined yet. >> Thank you, Cleo. Um, and and I know this is going to resonate with everyone because we we all live through the the different incidents, but the ones that I really want to to even focus on in terms of the unknown unknowns is I will specifically use black swan events as as the the examples. A black swan event is an unpredictable severely impacting across incidents that falls outside the realm of regular expectations. It's something we don't see coming and only understand in hindsight. In cyber security and IT, black swans often expose systemic weaknesses that we don't even know we have. For example, we'll

take the July 2024 CrowdStrike Microsoft outage. It wasn't a cyber attack, but it sure felt like one, and it crippled over 8 and a half million Windows enterprise devices globally. It paralyzed businesses, disrupted hospitals, grounded flights. It was a black swan event that exposed just how fragile our digital dependencies are. And that digital dependency and we know there are a lot of them. Even just this weekend, we saw that with um an actual an actual cyber attack that disrupted multiple European airports including Heithro as it affected the electronic check-in and baggage system. And they had it it um definitely slowed it it disrupted flights because everything had to be done manually manual check-ins manually right in the baggage tags. So it it was

reported that British Airways was unffect was unaffected as they were able to use a backup system. So they they did have some business resilience planning. But just another really good example or consider in July of 2022 and this has already been three years. It's it's hard to believe when Canada experienced the Rogers communication outage that took down mobile internet and 911 services for 12 million people and caused by a routine network update gone wrong. It cascaded into a national crisis affecting hospitals, financial systems, and emergency response services, just to name a few. I mean, I'm sure many of you felt that impact. Sandy, you felt that impact that for several days, right? I I can't even imagine having in a phone

that that I cannot use, cannot con make contact uh or even know what what is going on. So, it that was so impactful and there was no malware. There was no breach, just a misconfigured filter. And a reminder that resilience isn't just about cyber security. It's about surviving systemic systemic failure. So these events teach us that black swans in IT and cyber security aren't always malicious. They're often mundane mistakes with outsized consequences and they're unpredictable. So further, how do we prepare? How do we prepare? We stop asking are we secure and ask are we recoverable. The importance of resilience beyond cyber security today can mean one having parameter validation on kernel services. Um well that's rather

specific and maybe outside our control as customers but developers and QA take note. Roll back protocols that activate in minutes not hours. vendor diversification and communication redundancy so we don't have single points of failure. It's not easy. We we know that. But these are some of the things that we we certainly need to be able to look at so that we don't have these um these um impacting and prolong prolonged outages tabletop exercises that simulate chaos not compliant not just compliance. So it means building systems, culture, and strategies that bend but not break even when the threat is something we never saw coming. It's important to have response plans and exercise them on a regular basis because

as they say, failing to practice is practicing to fail because the next black swan event won't look like the last one. And a good way to prepare for the unimaginable is to imagine being ready. Anyway, >> thanks Michelle. I think we all remember that 8.5 million uh systems affected by the crowd strike outage. So sometimes the smallest tweaks can decide uh a big day. Just a small tweak becomes a big day. And speaking of that, Julie, tell us about a small boring fix that prevented a very big problem. Now the opposite. So it's the opposite of what happened there. So what changed because of it of this boring fix? >> Well, we kind of got a taste of that

this morning through Michael's talk, but we had some staff with admin access in the local machines. Nothing major, just one of those things that had been overlooked for years. That oversight meant that we had to do an awful lot of security audits, remove unsanctioned programs, and our setups weren't standard. So, the service desk had more troubles to troubleshoot machines because there was an awful lot of stuff on there that was just not allowed. So, we sat down, and it shouldn't have been a long process, but it was. We had to review the list of the staff who had been access and we had to ask them why ask having a staff member say well I

update my fonts twice a year is not reason to have admin access. So many people lost their access. Let me tell you I'm glad Michelle has some broad shoulders because she got an awful lot of complaints that day. But we did a cleanup and um they can still ask for some of those changes. I mean we don't stop progress. However, there are just methods that you need to go through to work through. So after we had valid reasons, we created admin accounts for those staff members and to make desktop changes, they don't go in with those admin access app pieces. They have to go in and authorize through their special account through their credentials. So,

we gave them clear guidance. This is what you're allowed to do. This is what you're not allowed to do. Reach out to security if you're curious. We'll help you through it. We'll say, "Oh, yeah, that sounds great." Or, "Uh, nope, nope, nope." And unfortunately, we do say, "Nope, nope, nope, a fair amount." But that's okay. But the real shift actually came when we came to that weekly monitoring. So I actually did look at those weekly reports and we look at those we see if there is admin accounts slightly starting to creep in. We claw those back if required and that boring fix became a habit and that habit became a safeguard for our organization. It's

part of our muscle memory. And the fix, it really wasn't exciting. In fact, there were people who I'm sure didn't want us to do it. But the peace of mind it gave us was absolutely worth it. Wow. Such a remarkable example of resilience. U simple in everyday life. And that brings us to um most breaches still involve insiders and stolen credentials. Octa's 2023 case started with just an HTTP archive debug file complete with session tokens and became a front door key. Florence, are our access controls failing or have we been measuring the wrong outcomes and how can we bounce back better smarter? >> Thanks for that question, Cleo. Um, let's talk reality. Access control really looks great on papers,

but what does the reality say? It literally fails when it gets implemented or it is not properly implemented. Let's put it that way. For an example, let's take the 2023 MGM uh resorts breach where the hackers did not um uh hack the system by itself. They called the help desk, they impersonated the user, they were able to get access to the system using social engineering attack. So um were there technical controls? Yes. Were there other mitigations? Yes. But what they didn't fail to implement was or didn't fail to account was the user behavior. So that was the biggest error that happened. And we also tend to ask oh do you have MFA? Do you have this control or that

control? But are we getting the right requirements for the right use cases so that we apply appropriate controls um at right level for right level of access um uh at appropriate uh um uh for appropriate solutions right I've seen so many developers as Julie said um there have been uh they have uh retained the root admin access or the um the domain admin access um way after their work is done. It's just because it is left unnoticed and it's definitely a recipe for breach, right? And uh and what about the insider threats? Are all insider attacks malicious? The answer is no. It's just carelessness. That's what that's all I would say. Because let's say an employee

who wants to transfer files from an organization of uh storage to his personal laptop and it's just that he wanted to work from home to complete his task. It's just that the organization is not monitoring what he's doing. He's just unaware just trying to do his work. But what about the DLP controls? Are is the organization monitoring what's really happening? and it's it's still a breach. And um how do we actually control all this um insider attacks or stolen credential is that we have to shift our focus from having static controls to uh behavior based detection to see what changes and at which level and to automate uh lease privilege access and give access to those

resources just on time basis. that would be the best solution to remediate uh any of these uh kind of attack. And I would also think to invest in people not just on the tools. Uh investing in people meaning um the GRC team who does the regular fishing test wanted to try to educate the users not just to catch people who are making mistakes, right? So we wanted to uh educate people um on a regular interval to say what is security and the benefits of um doing the best practices and double down on uh detection and response so that we are always ready for the attack. So overall as an organization what we should do is

to um implement solutions and technologies that should assume compromise and uh so that the containment and recovery speed uh are set as benchmarks and not just as u another checkpoint on the paper. Thank you. >> Such an insightful reminder about uh the importance of securing the human layer. Kim, if a company fire drill is only on paper, we know that panic wins, right? And the teams that fared best after the crowd strike outage had scale had um had muscle memory and could scale their practices. When it comes to incident response uh read readiness, what was one thing you introduced to your incident response planning that made a real difference and could be used by other organizations?

>> Thanks Cleo for the question. Um what you'll see up on the screen right now is actually the very half of the first page of our incident response plan. And the reason why I wanted to put that up there today is because I I have learned quite a bit in the last two and a half years. I I have gone through a crash course on how to do sock 2 type two on all five trust criteria at once. And as part of that, one of the things that I was trying to figure out was how do you do effective tabletop exercises? Like I think most employees know when you're going to do a tabletop exercise,

it's kind of you're going through the numbers. you're going through a typical playbook. And so I was trying to figure out where does a way that we can do something that's more impactful. And lo and behold, one of our thirdparty providers gave me an opportunity. So we had a situation where Twilio had some problems with their SMS. And how it works with identity verification is we have law firms across the country. They send a link to our IDV system to their client through either texting, SMS or through email. We have to use those processes. I know there's security concerns around them, but that's what we have to use. And so all of a sudden, our clients couldn't use

SMS. So given that this was impacting our clients, what I decided to do was to create basically activate our war room incident response planning group because even though this was an IT incident, this was affecting our clients. So we might as well focus and actually put all of the work that we've put into the template that we have and make use of it. So one of my first suggestions to all of you in the room that have teams is when you have an IT incident, which most of us do and it has any impact on clients, you can make use of that and turn it into a real life incident response. Now, we haven't had tons of IT

incidents, but they're more common for sure than any cyber security incident, at least in our space. And so, as a result, it's really made us us get better. It's made us think. And on the IT incident we had with Twilio, it got our dev team to really think outside the box, think of a new plan, and immediately respond. So if you look at the very top of the document, you'll notice that I have IT incident, cyber security incident and I have another one which I'll talk about in the next round of questions which is a fraud incident. Um, and when we were going through our audit recently, uh, the auditor who's from the states, accountant, really liked the

fact that our IR plan was designed the way it was. And it's designed so that we have everything including like your severity matrix all in one document. And the purpose behind it is so that anyone in our team could run an IR if needed. And some of the other tips that we learned is we have cyber security insurance. How many of you do? Probably lots. I many people don't realize you get a cyber security coach. So we have those numbers and everything in the IR plan. We also have alternative emails and personal phone numbers in case we're in a situation where everything goes and we still have to communicate. So those are some of the takeaways that I've

learned when it comes to IR. And so if you have an IT incident, make use of it. >> Such a powerful illustration and thanks for sharing uh your incident response plan Kim. So part of ensuring that you and your team are able to handle incidents better is if you have excellent relationships with stakeholders. And that brings me to your question to across companies and regulators. What single relationship do you activate first and what do you ask for that saves um like 10 calls later? >> Thank you so much for that question. I mean, just reflecting on the question, we understand that once you're dealing with stakeholders and external regulators, you can easily find yourself winding up into a routine or a rhythm of

reactive calls back and forth. And whether it's in response to an audit or you are just trying to comply to certain regulation, it's very important that the relationships that you establish, you make sure that they are tailored to your organization, your processes, and that you make those relationships work for yourself. I know that sounds a little selfish, but once we've set tone at the top and both organizations have aligned, one of the first things you want to do to directly answer the question is to name or find a compliance le person or risk officer who bridges the gap between your company and the regulator or the auditor for instance. And the first ask is not it. Even though I feel like what

I found is that the knee-jerk reaction is, hey, what do I need? What do you guys need from us? What do we need to be compliant? And that sometimes just sends you down chasing, you know, send you down a rabbit hole. What I try to do is not necessarily ask for a list of demands right off the bat, but you know have something called a calibration conversation so that we can both align and understand you know what we're building. So what what is my team building or what is the client trying to build? Where does the regulation touch it? You know for instance uh Kim talked about sock two type twos sometimes when you're trying to implement a certain

framework or standard I think the general misconception is that you have to comply to every single control or every single area that is touched within that piece of framework or standard. But that's not necessarily correct. You know, there's something called scoping, and I feel like a lot of people don't even get to to scoping, and that is such an important piece. Now, if you don't have the expertise inhouse to scope, that's where you can work with this compliance person who can sit with you and coach you through what exactly you need for that piece, for that compliance piece that you're working on. I find that having this calibration conversation and aligning on what needs to be done, you know, helps your team

move from reactive calls later when they, for instance, get or receive a self attestation sheet to being able to be proactive and work towards the evidence or artifacts that need to be um, you know, presented. that singular relationship that you activate, it's it's one deliberate touch point by your team that then helps to eliminate so many unnecessary goals down the line. And I mean it's a huge difference. It makes a huge difference in you the efficiency of your team and also you know even even in the morale of the team because what you don't want is to go into say like an audit not even knowing what you need. So having that alignment from the start and having that

relationship established especially when it's an external regulator to your company is super important. >> I think that's a really practical um take on relationship management. Thank you to in March 2023 ransomware took Canada's largest book seller offline. Indigo refused to pay. rebuilt over weeks and offered two years credit monitoring to affected employees. Executives moved on a few decisive signals. Michelle, what are the two resilience indicators on your dashboard that change real decisions? Uh, not like 20page memos. First off, sorry. Thank you, Julie. I will never compose a 20page memo. and I'm sure none of you would as well. I'm for concise and sufficient information to make an informed decision and for only creating something that will be

read. So, as one example, in early 2024, our threat monitoring flagged um several zeroday um multiple zero-day vulnerabilities with one of our VPN services. And these exploits allowed the attackers to bypass authentication uh and drop web shells and actually backdoor legitimate files, external thread intelligence and advisories confirmed the exposure. So it was not our primary VPN service and one we actually wanted to be able to decommission, but it was still being actively used by several groups of users. Given the exposure and continuing zero days, I informed my CEO that we were shutting it down immediately and actually finally kicking it to the curb. He accepted and proved that decision without any question. So some of the

decision impacts are obviously immediately decommissioning this VPN across all environments and that can be significant but it it's some of that rapid decision- making that you need to make rapid migration to our primary services SSLVPN to maintain the service continuity for our critical deliverables. One of them being we were in and in in the middle of a a major like a core system upgrade and then having security incident response initiated with the forensic retention and log archiving so that we could do post-mortem analysis and and making sure to that we were not affected not that nothing uh had come into our our network. So this indicator didn't just inform it. it it triggered a full and

final pivot from an existing service. As a second example and and I couldn't decide between uh when I learned that we had several web application servers inside our network or uh when we had gone consecutive months without patching our SharePoint servers. So again ultimately in both cases I issued a clear directive that remediation be planned and executed as soon as possible. Interim comp compensating controls be instituted. Who else said compensating controls today? Was that Michael? Just trying to recall. And and closer monitoring applied until resolution. Allowing these types of risks to continue once they've been identified is unacceptable and jeopardizes the organization, the resilience of an organization through a higher potential of disruption to its critical business processes and

compromise of data. And what I want to again emphasize here because often we hear, oh, we're protecting our data, we're protecting our information. You're also your big business driver is protecting your business processes. Yes, there's the CIA of the data, but there is also the the same for the business processes. You want that the resilience for those to be able to to be continuing to operate. So resilience is vigilance in adhering to fundamental pro principles such as architecture and patching. And we, you know, we generally don't patch in, you know, the recommended six days or less that, you know, because that's when a vulner you know, an attacker can actually take advantage of that vulnerability. But the rigorous cadence

of patching is is definitely needed and still having a process to expedite that risk assessment so that you can respond promptly and during a zero day or you know an exploit out in the wild and action promptly if appropriate. So the importance and and I want to emphasize again we have so many examples. The importance of this was also again this summer with all the the multiple vulnerabilities including a zero day with on premise SharePoint and and there were pe you know organizations that were affected. Fortunately we were not we were able to identify that and respond promptly uh applying the you know the recommendations and also the the necessary emergency patching. So I know

all of you we we live through these things all the time. it it's so important to that but those are our indicators those are for for our resilience. So uh those are three examples and that involved real decisions and to avert potential high disruption events and while strengthening our resilience and that's true. Uh we deal with risks every day. It's part of our life. We can't escape it in in the cyber security profession. Julie, what's a risk you choose to live with for now? And how did you keep everyone calm and focused while you monitoring it? >> Let's just take a quick poll. Anybody here running some older servers? I'm seeing a few hands up. Yeah, you

betcha. If you didn't put your hand up, you're lying. Okay, so we do we we have some older servers. We're running a legacy SharePoint on prem and we're transitioning. Sure, it's slow. Anyway, it's how it works. These systems are tied to critical workflows and our old onrem SharePoint servers have a lot of business data. We just can't rip and replace. We just can't quite move them as fast as we want. So we had to take a layered approach for how we mitigate those risks. So we segmented that network from our main network. As Michelle indicated, we put in some mitigations mitigations on those SharePoint servers. And so we disabled internet entirely. And we paid big bucks. I mean lots of

bucks. I mean we paid a little bit of money to Microsoft for some extended patching support. But I think one of the biggest things that we did is we added this to our risk register. I know people don't like putting things on their risk register because the moment you do internal audit knows that it's on the risk register and it our executives know that it's on the risk register and our board knows that it's on the risk register. But I think there's value because then we actually got to have the focus to mitigate. So we're doing that. It's slow but we're progressing. So while this is happening, we also have a lot of different um actively monitored

uh pl uh procedures in place to keep that information safe. But it gave us a little bit of breathing room to move at a very deliberate pace and we didn't compromise security anywhere along the line. So while not everything was a technical decision, the mean the main driver was actually a governance one. By making that risk visible and trackable, we turned that liability into a managed transition. And so we actually shone the light on where the problems are so that we could actually fix them. >> Wow. Thank you, Julie. The adage do not put your eggs in one basket carries weight in cyber security. But as humans, sometimes we like convenience over security. The last pass incident 2022 2023 wasn't

crypto failing. It was developer compromise plus vault meta data and backups exposure that increased the blast radius. Florence, if top password managers can be tricked into autofilling credentials via clickjing, are we prioritizing convenience over security? And how can we bounce back smarter by rethinking controls and user behavior in browserbased password management? That's an interesting question uh question for this year probably because almost uh starting 2020 three four and five almost all uh browser based password managers were under uh were identified as vulnerable or were exploited by the security researchers >> right and it was exploited via the clickjacking uh attack. So what the attackers did is they layered invisible login forms over legitimatelooking pages. So what it means for the password

managers uh is it injects the credentials sensitive credentials without knowingly to the browser um without user context as well. So what does it mean? Is the password manager insecure or does not it does not have any security protocols? Not exactly. Right. It was a failure in uh the contextual u trust. Um we know that the autofill feature that comes out of the browser based password managers are very fast because it's uh it improves the user performance or uh user experience in injecting the credentials automatically into the uh browser based systems but um does it mean that we are prioritizing convenience over security? That's a question that we should ask. But what we should focus here is

um to to include context aware autofill feature that trust the domain that we are supposed to log in and only with user awareness and we also want to include uh every time um that we are trusting the domain um that is necessary to be accessed right and um that's that's very important in my opinion and um there's also also um a way to categorize the type of accounts that we are putting into the password managers. There are enterprise password managers and uh uh a PAM solution which is uh and a password manager which is for corporate use. So each have different use cases. So we don't want to put everything in one basket as uh Cleo

rightly stated right categorize them as personal non-personal official non-official or privileged non-privileged so that right uh appropriate controls are applied on these type of uh accounts and credentials and introduce just in time access on each of these access every time. So just in time uh access everywhere and um reauthenticate reauthenticate reauthenticate whenever you're trying to access any critical account. So that's the way to go. Thanks Florence. We have parents in here today, right? And uh as a parent, we all know that the weird stories sometimes become very good lessons learned. I can see some nodes and I I see some people remembering some weird things that happened. Kim, what is the most unusual incident response experience you

have encountered and what was the takeaway and how can it help other organizations? Well, as you can see up on the screen here, we have an actual fraudster. So, this individual and for the audience who are here, you you guys get to see the full ID. When this gets streamed, it's actually going to be blurred a little bit, but we wanted to share this information with you. And from a privacy perspective, this fraudster doesn't get that privacy. And so, that is why we're sharing it to you today. But what this actually was is right now identity verification technology companies are specifically under attack. Uh and what the attackers are trying to do is turns out we're actually becoming very

effective in stopping the bad guys in committing fraud. In particular in Canada, real estate mortgage fraud. So right now when you're buying a home, you're probably going to go through identity verification. and we're one of the big players in Canada. So, you probably are going to start seeing more and more of us. But this what this group of fraudsters decided to try to do was to carry out a digital injection attack. And how they do it is first of all, we do due diligence. So, they had to impersonate a law firm. As you can imagine, we had to bring in a team to figure out whether we were dealing with an insider in a law firm or whether they

were just successfully impersonating a law firm. In this case, we did find out that they were impersonating the law firm. And our due diligence, just to give you an idea, we do check the law society that they're located in and we call the number. So, we have quite a bit of due diligence. So, these guys successfully onboarded. What was interesting is this isn't a cyber security incident because our systems were working perfectly. Nor was this an IT incident because this wasn't an issue with our systems either. This was fraudsters impersonating a law firm so that they could try to figure out how to attack our system by learning how to use it first. And so what they were doing

was they were digitally injecting using an emulator tool. Uh, and you can see it if you look at the first photo and the second photo, you can see the thumb placement. I put them side by side and you can see that he changed the name Ryan and Rajie. And so that's what they were doing. They were going in there and they were tricking the phone because to do identity verification you're using a phone. They were tricking it and and injecting in the change from Ryan and Rejieve. And there was a group of them doing this. And the reason why I wanted to show you this is because this is what we're up against when it comes to

generative AI. I think all of you, how many of you are aware of face swapping? Yeah. So, I actually spoke at an ICD event in Edmonton and said, "Look, I can face swap you in 28 seconds. I can take your ID, I can take your face off LinkedIn, put it on an Alberta template driver's license, and and I can do that in 28 seconds." And I'm not a big techie. So, the fact that I can do that is telling you what we're up against. We have an army of people sitting doing this for work, and what they're doing is making use of the Genai tools. So this digital injection attack, the good news is we caught them. We actually worked

with our providers and we wanted to watch and see what they did. So we actually did a bit of soouththing on our end. We were able to of course shut them down and we're better prepared now to deal with digital injection attacks but and we're sharing this information in the ecosystem that we're in. But I guess the message I want to say to all the organizations out here is if you think I mean everything is identity access and one of the problems we're having is we do have remote workers but even in person we have people and we had this in the mortgage space. We had 33 homes sold out from under legitimate homeowners in

the Toronto area. And what shocked me was I assumed all of those frauds were in-person meetings when in fact most of them I mean were were not in person. I thought most of them were online and in fact they were in person. So the fraudster had no problem putting their face on the fake ID that they created purchasing stolen identities off of the dark web through a dark web broker. and uh they then met in person with a mortgage broker, in person with a lawyer with the IDs and then were successfully able to commit those frauds. So, the good news is, you know, we're the good guys. We're doing our best. We're constantly scouring for new technology

and we're in an arms race. So, this is what we do. Um, in our ecosystem, we all do tend to talk to each other, but this is what we're up against. And I think it's important for all of you to be aware this is the new reality. Wow, that is very thoughtprovoking. I see some anxious faces. So, uh Tola, maybe you can uh water it down a bit. Uh what is one governance habit AI or otherwise that actually speeds up teams and what friction um can disappear in the in a few weeks? >> Amazing. Thank you for that question. So I'll start my answer with a couple of questions myself. How many people are familiar with the three lines of defense

here? Okay, not a lot of people. Okay, I see a few hands. And uh how many people are used to you know being sitting in a chair trying to convince either management or stakeholders on why a certain security solution is important and you know having getting push back we have more hands now. So security is uh unfortunately viewed in a lot of companies as a cost center and I find that what I found in working in this space over the last couple of years number of years is that we tend to need to continue to justify the things that we do as importantly apparent as it seems. case in point the the very nice identifification fraud we see up there

on the screen but we find that we're constantly put in a place where we have to explain ourselves we have to explain the solutions we're trying to deploy we have to I mean this almost everyone here I'm sure has had to do you know some one type of risk report or the other monthly weekly because there has to be justifications we have to speak risk or interpret risk non-technically to the non technical audience, you know, on our various teams. Same thing when we're trying to do whether it's audits or implement new controls, there's always the question, why? Why are we doing this? Why does my um password policy have to be multi characters? Why does it

have to be a certain way? And I found that that drains a lot of our active time. This time that we would have used to do, you know, more important work. we spend justifying we spend trying to educate the first line and that's why I asked about the three lines of defense um so basically you have first line second line third line third line is usually your external auditors the second line is uh the people who who are the oversight of the risk area line is usually the risk owners and there's usually ironically there's meant to be such an amount of collaboration across the three lines But in reality that's not what happens in my um you know in my

experience. And so one of the things that we did or started doing especially in more contemporary times where security and engineering teams are interfacing very closely. Um you know we're all working with Jira tickets. Anyone familiar with uh Jira here? Anyone uses Jira? Perfect. Okay. So you know we're all collaborating across different tools and we need to I find that security is shifting from just implementing or monitoring to actually educating like there is a need to educate the teams that we work with and so one governance habit that I found started to save our time was implementing something that I call the just in time guidance. So what we do literally is embed a short tiny

blurb in systems, tools, processes um that we know, you know, that that need to stay compliant. In addition to having whatever policy in place or having, you know, some sort of automation, we also started to have a blur that explains why a certain thing needs to be done at a certain time. If you get a trigger that your control area is out of compliance, there's an explanation as to why it's out of compliance and why you need to what you need to do to get back in compliance. That saved a ton of time because what happened before was people would have to reach out to us every time to explain every single fall out of compliance.

And sometimes you have people push back and ask you why do I need to do this? But just implementing that blur within the GRC tools or even within like having Jira tickets uh set up that send out automatically at a certain time or when people need to you know get back into compliance really really helped. What I found was that it transformed our documentation uh processes from just being a passive tool to to now being more like an active coach within the tools and the processes themselves. And that gave our teams or gave the security team, you know, a lot more time back to put their hands into more important work than just coaching. And

that's not to say that coaching teams is not important because it is. we need to coach this team sometimes for them to be able to work better with us, but at least having that guidance up front, you know, just made the work process a lot smoother. Thanks, Tola. Um, I love it when we get like practical things that we can go and implement tomorrow in our own organizations. So, we've talked about incident response and habits, but with all the constant change in cyber security, what does resilience look like in the future? Michelle, with AI, quantum computing, and hybrid work reshaping the landscape, what does resilience look like in um 2030, let's say? >> Well, thank you, Cleo.

Yeah, and this is a good question because we're all being confronted with AI, the quantum threats and the hybrid work. Some of it we've been working with for a few years already and for example with AI, you know, with Alberta pensions, we're early in our journey. Quantum, we haven't even started the work on it, but know that we will have to. So resilience in 2030 won't be a static checklist or or a reactive playbook. It will be a dynamic adaptive capability that's embedded in the DNA of every organization. It's not just about bouncing back from disruption. It's about bouncing forward with intelligence, speed, and purpose. While these challenges are relevant today, as I mentioned, 2030 is when they

seem to converge. AI will be mature and ubiquitous. That means it will be everywhere. Quantum threats will be real, not theoretical, and hybrid work will be fully normalized. Regulatory frameworks will be enforced globally. We're we're certainly seeing that uh at the the even the privacy level, but there's going to be AI frameworks, I expect. So 2030 is the deadline for readiness, not the starting line. With AI, it will be it's a double-edged sword of resilience. It will be both our shield and our stress test. On one hand, it'll be, you know, power predictive threat modeling, autonomous incident response and real-time risk score risk scoring. But on the other, it will be weaponized by adversaries to launch

hyperpersonalized fishing, deep fake social engineering, and AIdriven malware that mutates faster than we can patch. Resilience will mean training AI not just to detect threats, but to explain them, justify decisions, and align with human values. We'll need governance frameworks that ensure AI doesn't just act fast, but acts right. Moving John to quantum quantum computing is going to redefine what secure means. Encryption protocols that we rely on like RSA could be obsolete overnight and resilience in 2030 will require quantum safe cryptography, agile key management and a proactive migration strategy that starts now not later. Strategy preparation includes, for example, and this is not an exhaustive list, but conducting a a quantum risk assessment, identifying the systems and data that rely on vulnerable

cryptographic algorithms, and prioritizing the protection of your crown jewels, building a cryptographic inventory, using tools to map out the current algorithms, the key lengths, the certificate types and protocols, and and understand where the legacy or weak cryptography is still in use. Engaging your vendors and suppliers, ask them what is their roadmap for supporting postquantum cryptography PQC and standards and ensure ensuring that their products and services won't become weak links and points of vulnerability and then of course even too monitoring what are what are the standards and timelines. So those are things we we all need to familiarize ourselves with. Could could I ask is anyone starting their their or have started their quantum computing journey and and and

what are your thoughts so far? Is it is it daunting or is there's a there's a long road ahead? >> Yes. Yeah. So, I I think too that it's something uh and I think Kim will speak to it a bit as well, but it it's something we probably need to look at as a community for sure. Um on the um so just to finish off that thought, the organizations that wait for quantum disruption to arrive will be too late and that resilience our emphasis again being resilience will be anticipating that cryptographic cliff and building bridges before we reach the edge with hybrid work. The new perimeter is people. It's it has dissolved the traditional perimeter. We've known that particularly

since the onset of the pandemic in 2020 and and everyone are at that time moving to to remote working. But it will hinge on securing identities, the endpoints and the behaviors, not just the networks. And we're starting to see that shift. We need contextaware access controls, behavioral analytics, and zero trust architectures that assume compromise and verify everything. But it's not just technical. Resilience will mean cultivating digital citizenship, empowering employees to be vigilant, ethical, and adaptable in a world where work happens everywhere and threats follow. And that's required now, not not even just 5 years from now. It's the vigilance and recognizing those fishing attempts, whether they're at work or personally, wherever they may present themselves. That's just one example. and

the ethics handling that sensitivity sensitive data responsibly particularly now with everyone's uh you know desire to use AI and and what it offers but recognizing we we have to have a readiness and and governance related to the data that that that will be involved respecting privacy and desiraably avoiding shadow IT and of course adaptability it's it's navigating new tools especially in the AI context and the workflows and the threats but with confidence and curiosity. So to to to wrap that up every employee as I mentioned is part of the security perimeter and you know cultivating that digital citizenship turns your workforce into a resilience asset not a liability. So I I think we all shuddered with Michael

please don't click on those links please. Um so ultimately resilience in 2030 will be less about infrastructure and more about intelligence human artificial and organizational. It will be the ability to learn faster than the threat evolves to adapt without losing integrity and to turn disruption into transformation. The most resilient organizations won't just survive the future, they'll help shape it. >> Thanks Michelle. That's so powerful. I uh if you haven't been uh keeping track, we are not focusing only on bounce back, but we're also bouncing forward. As Michelle just rightly said, in 2024, the snowflake campaign rode stolen or still credentials, often with MFA through multiple customer environments. Uh, for example, ticket master proving that improvising is easier when

you practice it. Julie, what's a moment when a cyber or business disruption forced you to improvise? And what unexpected innovation or insight came out of it? Thanks, Cleo. I'm actually just stuck back on the 2030 and trying to determine if I can retire, but I'm not quite there. Okay, so some moments leave a mark. And for me, that was July 19th, 2024. It was one of those days when those blue screens replaced business as usual. The Crowd Strike update didn't stem from a cyber attack, but the disruption that it felt very eerily similar. systems went down along around the globe and ironically the very security tool that we relied on became an obstacle to the community.

Sure, we had contingency plans. We had playbooks and but the problem was we didn't have access everywhere. Some of the machines got hit, some didn't. Some of the support staff could work, some couldn't. And the result was uh confusion in a moment when we needed clarity. And even some of our backup communication channels weren't foolproof. Anybody use do not disturb mode on your phone when you go to sleep? Turns out that if you don't talk about it as a team and you don't talk about who needs to be in your favorites for those breakthrough calls, it doesn't happen. And the other thing is that old, oh, you just call twice workaround didn't seem to always work and those

were inconsistent. So we had to implement some new procedures where key contacts, some executive and IT leads, specifically our crisis managers, had to have those numbers saved in their favorites so that those work IDs, those work phones could have breakthrough. And it made us actually even rethink resilience. So it's now not just protection but it's about accessibility. So what innovations came out of this? As an organization, we are starting to look at cloud-based business resiliency and cyber security pl um playbook platforms so that we can keep some of those key materials out of our Microsoft tenant, out of our systems so that we can access them anywhere at any time so that they're available when some of our key

systems go down. We also have to look at different ways to notify executives, IT management and even some of our employees when these systems are down. Having some uh war different war rooms where you can have different people connect in at the right times so you can have those key conversations about where we are, where we're going, what we need to do. It taught us that resilience isn't about surviving the storm, but it's mostly about communication. And sometimes one of the biggest things we learn doesn't actually come from a breach, but it comes from a breakdown of the tools that we thought were invincible. It gave us an opportunity to just pause and look at what's available to us to

improve for the next time so that we can actually have those key players in the room, whether they're mobile war rooms or whatever other systems that we have. Thank you. >> Thanks, Julie. For those who have done ITLE, you know, uh there's a a phrase that says start where you are. So I guess that's what they did. They they're starting they're choosing to start where they are. So nonhuman identities like service accounts, tokens, workload roles are the new privileged users. Governance, inventory, and automated rotation build trust. Florence, how do we explain nonhuman accounts to leadership in a way that inspires confidence and demonstrates that even machine identities are controlled so so that we can bounce back stronger from

potential breaches. >> Thanks for that question. It's it's it's the topic of discussion across everywhere. We hear about machine identities, non-human identities, what are they? are we hearing it all of a sudden? But I think it's been ever since. It's just that um uh we've been hearing it very recently in these times and they say that the non-human identities increase exponentially in the ratio of 1 is to 41 to uh the number of human identities. Right? They are basically identities that are used in scripts. They are used for machine to- machine interaction. uh in API calls uh even your digital certificates they are all coming under the non-human identities category and what's the key message that we want to

communicate to the leadership is um it's one of the biggest or uh privileged user or an identity right so the cont um the concept of uh emphasizing the importance of non-human identities is very important as we speak to the leadership because they are fast, they operate at scale, uh they have excessive permissions, they don't rotate at all if at all, right? And um they are undetected in audit and the end result is the risk and the threat is uh tremendous. uh in many breaches we would have seen that it's not the uh actual uh regular user account or a human account which gets compromised but it's the accounts that are used uh in the uh cloud uh

tokens or CI/CD pipelines which get uh breached right so these are all the non-human identities as we speak and what we want to introduce or see is governance visibility and automation governance in the sense of uh just like every human identities have an inventory uh the non-human identity also should be inventorized monitored and audited so that we apply right amount of control and technologies to these identities. So it has to be inventoryed just like the regular user identities visibility in the sense and understanding where these identities are used how are they used is there an owner assigned to these identities if it is an under attack we don't want to go and scramble hey who

owns this account so we want to track down the owners tag it to the appropriate owners right at the beginning itself to give visibility of those identities and automation in the sense of um automating key rotation and uh enforcing time bound access to these identities. Uh making sure they are ephemeral. Um the concept of ephemeral accounts are coming into picture with new technologies. Um make use of um secret management solution so that your uh scripts does not store your non-human identities and credentials inside the scripts but rather than into a secrets management solution. But um overall the message to the leadership is simple either human or non-human get to the bottom of inventoring the accounts so that it is audited and we

reduce the blast radius of um uh of the of the threats and we bounce back better when there is an incident. >> Thanks Florence. Uh I was just having a conversation with my team, my colleagues at work uh recently about uh and there was an argument like uh is a is an AI agent a service account or not a service account. I'm interested to hear what you think uh over lunch if you can find me. Um so we all know threats are increasing rapidly particularly with the emergence of generative AI and now we are hearing about postquantum cryptography. So when it comes to threats uh Kim what keeps you up at night? Well right now um what's keeping me up

is I'm just looking at our clock and I think we're going to be at the end. So we're probably going to finish at this round because we're right now almost at lunch. So, I'm going to make it short and sweet. Look, quantum is my biggest worry right now. Uh, when this How many of you were listening to Cyber Alberta when the Center for Cyber Security came and did the presentation on the risks of quantum? Anybody in this room? Okay. If you haven't joined Cyber Alberta, you should because they are having regular sessions on what we need to think about when it comes to quantum. So, what concerns me of quantum is really simple. It decrypts everything.

So everything that we know in terms of security and all the passwords that Florence has talked about in terms of management basically disappears when we're talking about quantum because it can instead of zeros and ones it can do it all instantaneously and as a result decryption as we know it is gone. So that's pretty simple for me in my business that's a problem. So what I have done is I've taken some of what Cyber Alberta has shared and I approached Quantum City. How many of you know that Quantum City exists? Okay, it's in Calgary. It was given a hundred million dollars from the Alberta government. Uh and so we have Amy in Edmonton on AI. Uh Calgary has quantum

city. And what I'm doing is I like to take action when I can't sleep at night. So what I'm doing is making a pitch. And if other companies are interested, I think a group of companies in Alberta should become the guinea pigs for going through what we call PQC, postquantum crypto. And so we are going to be one of the guinea pigs. We have in order in our space to have identity verification, you have to have a number of vendors. You cannot invent every identity technology and we have to have those in one tech stack. And our our technology is really critical right now in terms of stopping fraud. So from that perspective, we are

a perfect example of a high vendor usage, third party usage that needs to figure out PQC. So if any of you are interested in having your company join a group of us, we're we've already talked to IRA and we're going to be looking at a group approach to figuring out how we're going to do PQC. So with that, I'm going to hand it over to Tola and thanks so much for your time. So, uh, Tola, what, um, makes your strategy sharper and what boundaries do you, um, establish? Sorry about that. >> Yeah, to answer that question, uh, in relation to say like if there was an incident. Well, I'll start with asking a question now that I know that we have a

bit of time. How many of us have seen our incident response plans for our various organizations? Impressive. Wow. Okay, that's great. And then do we do we directly engage in IR you know like exercises by show of hands? Perfect. Has anyone had to implement you know the playbook or in an incident like have you had to respond and go with the playbook? How many people have had to do that? >> Okay. >> Incident. >> Good point. Well, ask I'll ask the lady in red because she raised up a hand. So, did things go as planned.

>> Okay.

>> Amazing. No. Well, that's that's great. So, where am I going with this? One of the things I like to do in an incident to stay resilient is name the room. So, who's doing what? who's in charge. People need processes. People need accountability. And as much as it's easy to have a documented IR plan, a lot of times people don't follow it from what I've seen. And yes, the there are components of it that are followed. But in a real incident, like people tend to panic a lot. I'll give you a brief example from a previous experience of mine from a previous life totally unrelated to cyber security. So at one time in the life um

I dabbled into being a flight attendant and I did that for like a year and we had to work with checklists checklists every single time. It didn't matter how many times you flew that aircraft type. Didn't matter how many times you know it didn't matter how much you felt familiar with it. The checklist was the golden rule. It was super important. I say this to help us reflect because we have our plans. We have, you know, we have a communications person named. We have who you need to reach out to in an incident. But do we really and truly always follow that those plans. If you ever find yourself in a position where you need to

lead an incident, like you need to be calm yourself and you need to transfer that calm to the team. You need to quickly, rapidly instigate the process and, you know, start to put people in places. Communications is super important because you don't want messaging going out the wrong window or going out the wrong way. A lot of times we see that happening. There's an incident and before there is clear communication, there's also a lot of rumors, you know. So, in cyber security groups, I'm I'm I'm on a number of WhatsApp groups and I can tell you that there's millions of conspiracy theories that go on in those groups because I mean, we're all smart people and we're

all we're all itching to know what the outcome is and you know where the bridge may have come from. I find that people work better when there's visible structure, whether that is in an incident, whether that's in cyber security or whether that's in aviation or otherwise, people need an anchor. Your plan is not just part of your compliance. It is a tool because it's really not a question of if, it's more like when. So, you need people need to just be very prepared. I like that you shared your half a page of your IR plan. You should share the full thing. >> First page, >> half of half of the first page, you know, but it you need to make that like

the Bible. It's like you're you everyone needs to sort of get conversant with it. So when you go back to your teams, it's important that tabletop exercises are not just a compliance routine, but that we're actually paying paying close attention, you know, to to what we need to do if if there's an in an incident. I say we face the facts first. So that's how I stay grounded is I face the facts first and then we can speculate later. There will always be a lot of speculation. What do we do now? Super important. I find that when people see that there's a process, even if the facts are still evolving, people tend to go from panic to performance.

>> Thank you. >> Thanks, Tola. I feel like I just got a a masterclass in a steady incident response. So, uh, Michelle, when the executive team wants speed and certainty at the same time, what trade off do you name out loud so people align and no one bends out? So when both speed and certainty are the expectation, I relay that there is a trade-off between urgency and thoroughess. In cyber security and resilience, speed is critical, especially when you're containing threats or restoring operations. But certainty takes time. your in terms of for example validating data aligning stakeholders and trying to just follow security response protocols you can't have all of that at full strength without making compromises

so I would convey that we can move sorry I would convey that we can move fast but only if we simplify the scope predefine some of the fallback options and agree on what good enough looks like I also emphasize that resilience isn't just about bouncing back to normal state and going on about our business like nothing happened. It's about bouncing back better. And that does mean post incident reviews, the PS are not optional. And every event or crisis is a chance to strengthen our posture and and as well the PRs are integrated into our IT change management. It further enhances alignment and completement completeness of the process and including opportunities for improvement in action items. So we also

build in recovery testing, tabletop exercises and cross functional uh communication drills to make sure speed doesn't come at the cost of sustainability or trust. Ultimate ultimately I and the other leadership make it clear that psychological safety and operational clarity are non-negotiable. We protect our people by naming the limits, aligning the expectations, and not assigning blame or pointing fingers, ensuring that our bounceback is not just fast, but smarter. That's a remarkable strategy. Thank you for that. Most of us are familiar with our beta winters. Winter loading. Winter is loading. So when there's a snowstorm, we slow down, but we don't stop. We don't need to see the whole road clear, just enough to keep moving safely.

Julie, in moments of high pressure, cyber incidents, or broader business crisis, what's your go-to strategy to recalibrate the team's focus, restore calm, and reinforce resilience without escalating tension or losing momentum? Have you ever wor Have you ever lived and worked through a perfect storm where the outcomes you expected well they made their own decisions during what should have been a routine UPS test. We found a defective part. The data center that we rely on um we needed to bypass the the power to our generator. Our generator's tested every month. It's got lots of fuel. We know it works. We're good to go. Um, so excellent. Let's move to there. So, we have clean power coming into the data

center from the city. Things looked good. The data center was happy. The generator was happy. But this was March of 2023. We went from pleasant winter temperatures to cold and high humidity and the part for the UPS was delayed. There was a challenge in getting proper support staff. Not everybody who we asked to have decent uh support contracts with were able to work on our UPS the way it was supposed to. two days of bitter cold later and our generator failed. It spewed oil and the generator failed because of the condensation and the uh buildup. Once the generator failed, we lost the data center. It was black hard down. Have any of you ever been in a data center when

nothing is running? It's quiet. Too quiet. It's like when you have a 2-year-old who's too quiet. It's danger. Yeah, it was chaos. But thanks to documented procedures and recovery plans, we got the systems back online. But we also had some environmental cleanup. Did we nail everything? Nope. We missed key communications to business. We didn't engage HR at the right times and it uncovered gaps in our plans. What kept us steady steady was the calm human- centered approach. When I was running that incident, I listened. I made lists. I'm really good at lists. And I gave experts what they needed. space, coffee, donuts, a reminder to take a walk when frustrations happened. I became a sounding board and also I

became a block to let the technicians do what they do best and to navigate what executive needed. We made clear timelines for regrouping because communication is key and the structures that helped us focus that caused us to be able to deescalate the situation. I'll say this, being a woman in cyber security adds something powerful to moments like these. There's a natural instinct to lead with empathy, to tune into those emotional undercurrents, and to protect the team's well-being. It's not about being soft. It's about being strong in a way that holds space for others to thrive. Resilience isn't about being technical. It's relational. And when women lead through crisis, we bring the kind of clarity and care that

transforms setbacks into into breakthroughs. And this is a team reproach. Thank you. Thanks, Julie. Uh, any Game of Thrones fans in here? Game of Thrones. Yes. So, I call the Alberta life a song of fire and ice. go and watch Game of Thrones. So, um, Florence, as we move toward cloud and passwordless futures, are traditional password vaults holding us back or can we evolve them to bounce back stronger against credential theft? >> That's an interesting question, isn't it? First off, the traditional walls which would store uh credentials, let's say would not go anywhere. Uh let's think of the root access, administrator access or the break glass access. Where do we all save it? It's in the traditional world,

right? As far as the um built-in admin accounts of any appliances are there existing, the traditional walls will still be there. But what we see is they are transforming and they are evolving. In modern ecosystems, we see that secrets are dynamic. They are no longer static. Um you can see in recent solutions like Cyber Arc or Hashikorb or uh enterprisewide um password management solutions they offer um uh credentials or they support um uh creating credentials just on time with ephemeral access uh so that uh there's no standing privileges for a user to access a critical system. Uh another example is where Azure keywalt plus managed identities would give access to a servicetoervice type of connection

um leveraging the Azure key walt policy. So uh while the passwordless using the biometric or the feeder 2 is uh still evolving and emerging uh organizations like healthcare or transportation like CN uh and the government agencies would still leverage legacy uh or uh legacy systems right so a traditional wault will still be applied in most cases. So what I would say is the traditional walls will still act as a bridge to manage the um built-in local accounts where we also see shift in using the passwordless access. Uh so they will definitely coexist but for the better. Thanks Florence Kim. Now you have to fast track. Give us your 90 secondond trust message that counts clients

without sugar coating. How did you learn to say it that way? I think my quick message internally for my team is listen, we're all in this together and we're going to get through this and we're going to learn from this. So that's the key message and there's no blame. If you introduce the blame game, then you're going to have a problem. For external communication, which is absolutely critical and I think gets overlooked by a lot of organizations. Uh we have an amazing customer experience team. We are very transparent and open. So, as soon as we had problems, I'd mentioned the Twilio incident. We were out talking to our clients that have integrated our technology behind theirs

because they're the big ones. So, we were immediately notifying them because they needed to do some tech changes on their end. And then we immediately started notifying our clients, our general clients. And then we did constant updates as we started going through the process. Now, sometimes it's a little more challenging to communicate that transparently, but I would argue that it's a much better way to go than it is to try to wait and have your clients calling your and complaining. So, those are kind of my trust messages. You know, we're in this together. And I think all of us in this room know that that's the case. And uh the worst thing you can do as an

incident manager is start blaming people. And the other thing that you have to do is I'm the leader. I have to take accountability for all the decision-m and make it very clear that I'm the one that's that's on the hot seat, not the team. So that's it. Thanks, Kim. And Ta, when regulators or auditors push for more, how do you balance compliance fatigue with sustaining team morale and resilience? >> Try to do this in 90 seconds. So I will say that I found that the antidote to compliance fatigue is transparency to your point and also pacing the team. When you receive a checklist back from the regulator, what you want to do is not just cascade that requirement down

to your team. I always come with the why. It's explaining why we need to do it and what the risk to organization is if we don't do it. Why are we trying to mitigate this? Where does this put us from a compliance perspective? And so having that transparency between myself, the team and the regulators is usually really just makes for for a better working environment. The second part to that answer is pacing. Now I realize and I recognize that not everything needs to be done at once. So the ability to pace work such that the team doesn't get overwhelmed is uh another thing that I do to help to keep everyone on track. Thank you.

>> Thank you Ta. And thank you ladies for this wonderful session that we've presented.