Seiso Logo Seiso Logo Color

Seiso at TRISS 2024: What We Learned and What’s Next 

  1. Home
  2. / Blog
  3. / Post
Three Rivers Information Security Symposium Pittsburgh Seiso sponsored

Seiso

Security Strategy TRISS

At the 2024 Three Rivers Information Security Symposium (TRISS), Seiso joined Pittsburgh’s top cybersecurity minds to explore the latest challenges and opportunities in our industry. From proactive risk management to AI governance and the need for diversity, each session provided invaluable takeaways.

Here’s a recap of what we learned and some recommended actions you use to simplify complexity, foster resilience, and turn cybersecurity into a sustained advantage. 

CISO Panel: Prioritizing Resiliency, Managing the Unknown, and Building Cross-Functional Influence 

The CISO panel emphasized that resiliency and adaptive planning are at the core of effective cybersecurity leadership. Panelist Justin Zimmerman from Giant Eagle captured the importance of preparing for the “unknown,” a recurring theme among CISOs who constantly anticipate threats that may fall outside standard protocols. The message was clear. While technical defenses are critical, strategic foresight and flexibility are equally essential in protecting against emerging and unforeseen threats.

The panel also highlighted third-party and supply-chain vulnerabilities, pointing out that the right vendor partnerships can either strengthen or compromise an organization’s security. Security leaders should seek out reliable partners who align with their specific business needs and offer well-defined SLAs. Further, vendors who are also consultative in their approach are typically more successful in managing third-party risks. 

Building credibility with the board of directors was another central theme, with panelists emphasizing the importance of honesty, transparency, and achievable KPIs. They stressed that realistic expectations are vital for long-term trust, and CISOs gain credibility by showing the board how security impacts the business in concrete terms. Building cross-functional relationships across departments emerged as a key factor for influencing decisions and communicating the value of security to executives. As Zimmerman remarked, “It’s all about influencing without overpromising.” This honest, measured approach was presented as foundational to a CISO’s role

For aspiring CISOs, the panelists shared several essential skills: strategic thinking, situational awareness, emotional intelligence (EQ), and business acumen. “Developing EQ is invaluable,” shared one CISO, who noted that navigating complex business dynamics requires a mix of technical and interpersonal skills. They emphasized networking, mentorship, and cross-functional collaboration as indispensable for cultivating these qualities. Additionally, new CISOs should prioritize enhancing their strategic thinking, EQ, and situational awareness to navigate complex security landscapes effectively. 

Recommendations from Seiso:  

  • Prioritize resiliency by developing strategies that prepare for unknown and emerging threats. 
  • Establish third-party risk management processes to monitor and mitigate vendor and supply chain vulnerabilities. 
  • Build cross-functional relationships to align security goals with business objectives, enhancing influence across departments. 
  • Set realistic, measurable KPIs and maintain transparency with the board of directors to build long-term credibility. 

Women in Cyber Panel: Empowering Women, Navigating AI, and Building Inclusive Cultures 

The Women in Cyber panel explored the unique challenges women face in cybersecurity, reinforcing the importance of a supportive, inclusive work culture. Imposter syndrome was a recurring theme, with panelists sharing how building self-confidence and speaking up in professional settings can empower women entering the field. Jacqueline Lead from PNC remarked, “Sometimes, you just have to speak up and take your seat at the table—even if it feels uncomfortable.” The panel emphasized that cultivating a culture where all employees are encouraged to voice their ideas and perspectives strengthens the organization and builds diverse leadership. 

AI’s impact was another key focus. The panelists highlighted AI as both a threat and a tool, warning that the sophistication of AI-driven phishing emails and deepfake attacks is blurring the line between authentic and malicious communications. Traditional warning signs, like typos, no longer suffice. Organizations must provide continuous, context-driven user education to counter these evolving threats. For cybersecurity professionals, developing AI governance frameworks has become a necessity; as the panelists put it, “If you don’t have AI governance yet, start now.” This includes policies around acceptable use, data protection, and compliance to ensure that AI-driven innovations are used responsibly. 

Work-life balance, team bonding, and mentorship were also emphasized as essential for retaining a diverse workforce. The panelists noted that career support and a focus on well-being make a meaningful difference in promoting retention and long-term growth for women in cybersecurity. 

Recommendations from Seiso: 

  • Foster an inclusive environment where all voices are encouraged, supporting team members to “take their seat at the table.” 
  • Develop AI governance frameworks now, defining clear acceptable use and data protection policies to mitigate risks. 
  • Invest in team bonding and career growth opportunities to retain diverse talent and support long-term development. 
  • Promote mentorship and skills-building programs for women and underrepresented groups to grow a resilient, diverse workforce. 
  • Prepare staff to counter AI-driven threats, like phishing and deepfakes, with adaptive, context-based training. 
Seiso Free Snapshot Assessment

Free Snapshot Assessment

We will assess your cybersecurity program readiness and uncover critical risks in a free 1-hour session. Get an actionable report with a risk-based ranking within 48 hours.

Schedule a Free Assessment

GRC Panel: AI, Compliance, and Vendor Management in the Age of AI 

In the GRC panel, AI’s transformative potential for Governance, Risk, and Compliance (GRC) took center stage. Heather Staab from Compassion International discussed how her organization introduced AI tools, like Copilot, with strict internal guidelines to ensure compliance and data protection. The panelists agreed that implementing an AI governance framework is no longer optional—organizations should establish well-defined AI use cases, acceptable use policies, and guardrails to balance AI’s benefits with security. “If you don’t have AI governance in place yet, start now,” was the panel’s shared message. 

The panel also highlighted vendor risk management, noting that security questionnaires and third-party audits have become overwhelming for GRC teams. Panelists recommended establishing standardized acceptable use policies and streamlined onboarding processes to efficiently manage vendor risks. A structured approach to third-party relationships reduces vulnerabilities and allows organizations to better balance compliance requirements with operational efficiency. 

Balancing security and innovation was another recurring topic. While AI offers competitive advantages, the panelists stressed the importance of security guardrails that foster growth without sacrificing data protection. In the absence of strict regulations, organizations are increasingly responsible for setting their own compliance standards, making these internal guardrails essential to responsible AI adoption. 

GRC Panel Sidebar Recommendations: 

  • Start building AI governance structures immediately, including well-defined use cases, acceptable use policies, and compliance safeguards. 
  • Streamline vendor risk management by implementing standardized onboarding processes and risk assessment checklists. 
  • Use internal security guardrails to balance innovation with security, especially when integrating new technologies like AI. 
  • Establish policies for acceptable AI use within GRC, and monitor to ensure alignment with regulatory and security standards. 
  • Regularly assess vendor questionnaires to reduce compliance fatigue, focusing on high-impact areas and key vendors. 

Small Business Panel: Foundational Cybersecurity with Limited Resources 

How small and medium-sized businesses (SMBs) can build a secure environment on a tight budget was a primary focus of the panel’s discussion. They emphasized that “cyber hygiene”—such as consistent patching, identity management, and asset tracking—forms the backbone of an SMB’s security posture. “Start with the basics,” shared one of the panelists, “because a strong foundation prevents a large portion of common threats.” This approach of taking small steps make a meaningful difference, especially for SMBs with limited resources. 

Creating a security-friendly culture that empowers all employees to participate in cybersecurity was another essential takeaway. Empathy and accessibility are critical to ensuring employees across all levels understand their role in protecting the organization. Training and awareness programs provide the highest return on investment, especially in smaller environments where IT resources may be constrained. The panel recommended making security approachable and engaging to achieve genuine buy-in and involvement across the organization. 

When selecting security partners, the advice was to focus on word of mouth and prioritize vendors who understand the unique needs of the business. Partners should provide clear SLAs and take a consultative approach. Free and affordable resources—including DHS vulnerability scans, CISA frameworks, GitHub tools, and internships—were highlighted as cost-effective options that help SMBs scale their security posture without extensive budgets. These resources provide crucial support, particularly when paired with well-structured training and awareness programs that equip employees to recognize and respond to risks. 

Recommendations from Seiso: 

  • Strengthen foundational cyber hygiene by focusing on accessible practices like patching, asset tracking, and employee training. 
  • Build a security-friendly culture where all employees, regardless of technical ability, are empowered to contribute to cybersecurity. 
  • Select security partners who add value with clear SLAs, tailor their offering and are consultative in their approach. 
  • Leverage free and affordable resources—DHS vulnerability scans, CISA frameworks, and interns—to enhance security on a budget. 
  • Use training and awareness programs as a high-ROI solution, especially for lean teams.