2023 Event Calendar

We hold a monthly meeting, usually on the fourth Thursday of the month, with tickets available from Eventbrite. If you have a topic you’d like to present on please do get in touch.

Please note: Proposed events are subject to change dependent on COVID and speaker availability. Venues for 2023 may include Spark, The Instillery, Genesis, Datacom and online platforms.

Next meeting:

ISC2 Auckland Chapter End of Year Celebration

REGISTER NOW

Tuesday, December 12 · 4:30 – 7:30pm – Datacom Auckland, 58 Gaunt Street

Another year is winding down so come celebrate with Chapter members at Datacom as we mark another 12 months in cybersecurity.

This will be our 12th and final event for 2023 where we’ve welcomed volunteers to present on anything from ransomware to privacy to cloud security and more.

We’re grateful to the 75 Members signed up to support the Chapter going forward and this will be an early evening social session to come mix and mingle. Guests are also welcome to attend with tickets priced at $25.

We’ll have food and drinks and a presenter beaming in from the US to deliver a topical talk to wrap up the year. Come join us!

REGISTER NOW

Past meetings:

Cookbook for using EPSS scores with Open FAIR

Thursday 23rd November, 12pm, Zoom

The timely application of software patches is the first line of defence against malware by reducing the attack surface. This presentation will discuss how to apply the FAIR-CAM model to inform on the effectiveness of a patch prioritisation policy.

The current vulnerability approach of applying all available patches based on the CVSS base score places an unsustainable demand on cyber defenders. For example, security standards such as PCI DSS mandate that all vulnerabilities detected in the protected asset in the CDE ( Cardholder Data Environment) with a CVSS base score of 4 or higher must be remediated. Research published by the FIRST Exploit Prediction Scoring System (EPSS) Special Interest Group found that the number of disclosed vulnerabilities has steadily increased over the years, driving the need to prioritise vulnerability remediation to reduce the risk of attacks.

The prioritisation policy is akin to the Anti-Lock Braking System (ABS) controlling the brakes (patching action). An overly aggressive ABS system will result in harsh braking and even skidding on slippery roads. ABS reduces the braking force to allow controlled slippage of the tyre to maintain traction with the road surface. Similarly, the patch prioritisation policy adapts to the business environment to ease the pressure on the patching process. This pressure reduction mechanism is essential to maintain the focus and operational effectiveness of the cyber defence team to minimise the risk of patching fatigue.

Unfortunately, the EPSS approach has attracted demands to publish a mapping to CVSS to replace the current CVSS-based patching threshold. This simple mapping approach could be misleading because EPSS only consider vulnerabilities that have been exploited with no business contextualisation of the targeted environment. Open FAIR, on the other hand, is purposely built to capture business context for cyber risk measurements. Denny leads the “Cookbook for using EPSS scores with Open FAIR” project, bringing these two powerful frameworks together to provide practical guidance to cyber defenders to curate reasonable and defensible patching thresholds for different assets. The current one-size-fits-all fixed CVSS-based patching threshold for all assets can be relaxed to enable targeted and proportionate vulnerability programs, delivering the goal of “Patching less to deliver more cyber risk assurance”.

Speaker Bio:

Denny Wan

Denny is the chair of the FAIR-CAM Workgroup and founder of the Sydney Chapter of the FAIR Institute. He is a recognised global thought leader in applying the FAIR Cyber Risk Quantification framework to enable the management of cyber risks as financial risks. His post “Targeting cyber security investment – the FAIR approach” lays the foundations for this cyber risk management paradigm. Denny is an individual member of the Open Group Security Forum, by invitation, tasked with the mission to raise awareness of FAIR in ANZ. He is a member of the FIRST EPSS SIG interoperability workstream tasked with improving the practical adoption of EPSS to inform patch prioritisation policies.

Past/Future: Events that changed the way we look at cyber security

Thursday 26th October, 12.30pm, Zoom

Embark on an extraordinary journey through time, from the roots of the digital age to the uncharted future of cybersecurity. Join us for a Zoom conference that promises to not only inform but inspire, as we delve into the transformative events that have reshaped our perception of security.

Our virtual gathering offers a captivating perspective spanning six decades (60 years), a testament to the ever-evolving landscape of technology and information security. We invite you to partake in this knowledge-sharing session where we aim to fortify the very foundations of security standards within organisations.

Speaker Bio:

Adwin Singh, Cyber Security Domain Lead – CISO Office

With 20+ years of experience in Cyber Security Risk Management, Security Governance, Security Compliance and Security Consulting and ISO Standards Committee Member.

Cyber Threat Intelligence for Critical Infrastructure

Tuesday 26th September, 12.30pm, Zoom

The Asia Pacific region has seen an increase in cyber threats over the last decade with industry and critical infrastructure providers at the new frontline of contemporary warfare in the ‘5th domain’ of cyberspace.

Democratic governments are struggling to protect their citizens from cybercrime and their national critical infrastructure from interference and attack.

Australia has responded by establishing 11 critical infrastructure sectors and 22 categories of “critical infrastructure assets” via the Security of Critical Infrastructure Act in 2018 and subsequent updates in 2021 and 2022 that have increased government assistance, intervention and direct obligations on key companies.

This presentation outlines the key benefits of taking a cross sector approach to cyber threat intelligence sharing (CTI) to defend critical infrastructure and the formation of the non-profit CI-ISAC Australia in February 2023. Uniting industry professionals provides a low-cost, sustainable way for defenders to leverage their spend and uplift security at scale.

Scott’s talk will highlight the key challenges of establishing and running a data sovereign national information sharing and analysis centre (ISAC) by drawing on some of the lessons learned in setting up CI-ISAC. With DPMC recently releasing a discussion document on strengthening New Zealand’s critical infrastructure system this will be a timely talk to attend.

Speaker Bio:

Scott Flower, Co-Founder, Critical Infrastructure Information Sharing & Analysis Centre (CI-ISAC Australia)

Scott is a graduate of the University of Canterbury and prior to moving overseas, he worked in New Zealand as a guide and in emergency management as a professional mountain rescuer and team leader for the Department of Conservation SAR in Mt Cook and the New Zealand Police SAR in Christchurch.

Prior to founding CI-ISAC Australia, Scott worked as the Global Intelligence Officer for FS-ISAC, where he was responsible for leading the threat intelligence fusion cell for the global financial sector in Asia Pacific.

Before becoming an academic, Scott had a stint at the Australian Security Intelligence Organisation’s (ASIO) critical infrastructure protection directorate (CIPD), where he was Lead Analyst responsible for banking and finance and oil and gas sector, authoring national threat assessments to key state government and private sector CI owners and operators. He then spent a decade in academia at the University of Melbourne and the University of Western Australia.

Scott holds a PhD from the Australian National University (ANU) and a master’s in strategic studies (ANU) and has published two books and over a dozen leading peer-reviewed academic journal articles in journals such as the Australian Journal of International Affairs, Defence and Foreign Affairs Strategic Policy, Journal of Pacific Affairs, and the Journal of Pacific History.

Demystifying DMARC – What it is, what it isn’t, and how to get it done

Thursday 24th August, 12:30pm, Zoom

Implementing DMARC is deemed to be hard/dangerous, you’ll drop email, don’t do it and it’s hella expensive sort of thing…it really isn’t, and can be a lot easier than many make it out to be.

DMARC, Domain-based Message Authentication, Reporting, and Conformance is the technical standard that ensures protection for email communication from online threats by the efficient control and authentication of the email traffic on your domain.

It’s designed to give email domain owners the ability to protect against unauthorised use, commonly known as email spoofing. The purpose and outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams, and other cyber threat activities.

Speaker Bio:

Steve Rielly – Katana Tech, near on 30 years in IT Security, and implementing DMARC with a Department of Internal Affairs assessed service that is one, if not the only, DMARC services on the Digital Panel will step through how you can implement DMARC without dropping a single business email.

Strengthening Your Security Posture with Microsoft 365 E5

Thursday 27th July, 12 – 1:30pm
Microsoft, Level 5, 22 Viaduct Harbour Avenue, Auckland

The journey from vulnerability to resilience is not an easy one, but it is essential for the survival and success of any organization in today’s digital landscape. Microsoft 365 E5 provides a comprehensive suite of tools and services that can help you navigate this journey with confidence. By leveraging its advanced security features, you can strengthen your security posture, protect your digital assets, and safeguard the trust of your customers.

Speaker Bio:

Paul Caldwell: Dicker Data Microsoft Security Business Development Manager

“To securely empower every person and every organization on the planet to achieve more”. Experienced Microsoft Security Evangelist: Enterprise Admin, Architect, Operations Analyst, and Trainer.

With a solid background with leading international software vendors, including serving as the NZ country manager for StorageCraft (Arcserve), Paul brings unrivalled experience and expertise to his roles. Paul’s professional experience includes country management, channel enablement, project support, change management, system development, training, and cyber security. Recognised as a finalist in the Reseller News 2021 Individual Technology Innovation Awards.

Show Me the Threat Model: Anticipating and embracing threat modelling mandates for strategic advantage

Thursday 22nd June, 12 – 1:30pm
Microsoft, Level 5, 22 Viaduct Harbour Avenue, Auckland

Agenda
12:00 pm – 12:30 pm – Arrival / Networking
12:30 pm – 12:40 pm – Chapter AGM
12:40 pm – 1:30 pm – Presentation and Q&A

Due to recent shifts in regulatory, industry, and insurance/risk mandates, organisations around the world increasingly find they need to establish, expand, or mature their enterprise threat modelling practices. In April, CERT NZ and NCSC-NZ jointly published (with sister agencies in the United States, Australia, Canada, the United Kingdom, Germany, and the Netherlands) a guidance document on Secure-by-Design and Secure-by-Default principles, in which the authoring agencies recommend using a tailored threat model “to address all potential threats to a system.” While the New Zealand government hasn’t yet issued any threat modelling mandates, our neighbours in Australia have – in the form of the Security of Critical Infrastructure (SOCI) Act of 2018 (amended April 2022).

In this presentation, John will begin by reviewing the current threat modeling mandates in other countries, the drivers behind them, and what such a mandate could mean for New Zealand organisations.

Next, he’ll present five key principles for maximising organisations’ return on their threat modeling investment, generating long-term strategic benefits that can extend well beyond simply being able to assert compliance.

John will conclude with pointers on launching a threat modeling practice, with a focus on building momentum and driving value and increased adoption through “quick wins.”

Speaker Bio:

Dr. John DiLeo is a leader of the OWASP New Zealand Chapter and, in his day job, is a lead Solution Architect at IriusRisk, covering the Asia/Pacific region. Before joining IriusRisk, John led the Application Security Services team at Datacom, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.

Before turning to full-time roles in security, John was active as a Java enterprise architect and Web application developer. In earlier lives, John has been a full-time professor and held several roles as a systems engineer, specialising in developing discrete-event simulations of large distributed systems to support enterprise decision-makers.

John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, leads the OWASP State of AppSec Survey Project, and is a member of the OWASP Education and Training Committee.

Cloud Computing Risk Assessments using the CSA’s Octagon Model

Thursday, May 25 · 17:00 – 19:00
Workday Auckland, 152 Fanshawe Street #Level 2

Play the ‘Fellowship of the Cloud’ board game and learn the Octagon risk assessment model

The Cloud Security Alliance’s ‘Octagon Model’ provides a standardised way to generate cloud computing risk assessments.

With Microsoft and Amazon committed to delivering new public cloud data centres in NZ, it seems like the perfect opportunity to explore the Cloud Octagon model together and play through the accompanying board game “The Fellowship of the Cloud” to gain awareness and understanding of the approach.

CSA believes “the model makes it easier for organizations to identify, represent and assess risks in the context of their cloud implementation” across security, legal, privacy, data protection and compliance domains referring to the Cloud Security Alliance Cloud Controls Matrix (CCM).

We’ll be using the Octagon model and the awareness raising board game developed by Dutch bank ABN AMRO to evaluate this approach to identifying and mitigating cloud risks.

Speaker Bio:

Chris Hails is a consultant for ZX Security. He previously headed up information security for Heartland Bank, has worked at New Zealand’s National Cyber Security Centre and developed the ORB incident reporting platform for Police and DIA at NetSafe.​

ISO 27001:2022: What’s changed and what to consider in a new implementation

Thursday, April 27 · 12:30 – 13:30
Zoom webinar

The ISO 27001 standards were updated late last year and replace the version from 2013. Why? And what does this mean for your ISMS?

Come and join us for a Zoom-based knowledge sharing session regarding the recent changes in ISO 27001, ISO 27002 and ISO 27005, learn how it impacts your current certification and what to think about during a new implementation, transition and on-going maintenance.

Changes we’ll discuss:

• The number of controls has decreased from 114 to 93
• A new control released: Threat Intelligence
• The event-based approach is contrasted with an asset-based approach to risk identification.

Speaker Bio:

Adwin Singh, Cyber Security Domain Lead – CISO Office

With 20+ years of experience in Cyber Security Risk Management, Security Governance, Security Compliance and Security Consulting and ISO Standards Committee Member.

Prevention vs Protection in a Cloud Native World

Thursday 23 March, 12:00 – 13:30
Spark, 167 Victoria Street West

With so much noise in the cloud native security landscape, we welcome Madhul Sachdeva to explore the top 4 concerns that security teams are attempting to address:

1. Leveraging DevOps for security

2. Shift-Left or Shift Right?

3. The agent vs agentless approach

4. Opensource vs best of breed tactical solutions vs platform solutions

About the Event:

In-Person ticket holders can come and network from 12 midday with the presentation in the room also streamed to Webinar ticket holders from 12.30pm.

Speaker Bio:

Madhul Sachdeva is a respected cyber security thought leader with sound business acumen who is currently working as a Cloud Native Security Specialist at Aqua Security.

With 18+ years’ experience in the ICT industry, he has worked with several organisations from early-stage start-ups to fortune 100 large enterprises, focusing on the secure design and delivery of Infrastructure and applications across on-premises, hybrid and cloud environments.

Madhul is a technologist at heart, who is passionate about creating awareness about cyber security in general and device strategies for mitigating risks associated with use of technology-based attacks like identity theft, data leaks, cyber-attacks etc. He holds numerous industry certifications with as special interest in cloud and Kubernetes security.

Navigating NZ’s Privacy Landscape in 2023

Emma Pond from Simply Privacy will provide an update on what is new and exciting in the world of privacy, including a look at what we can expect to see over the coming year such as the impact of the Aussie privacy law reforms on NZ, the developing Consumer Data Right regime, and potential changes to NZ privacy laws re notification and biometrics.

Speaker Bio:

Emma has been a privacy professional for over 20 years, with time spent at the Office of the Privacy Commissioner and as an in-house corporate privacy lawyer. After joining Simply Privacy she has advised clients in the privacy and public sector across a broad range of privacy issues, with a particular interest in providing training for Privacy Officers.

About the Event:

In-Person ticket holders can come and network from 12 midday with the presentation in the room also streamed to webinar ticket holders from 12.30pm.

The Mental Impact of Ransomware Incidents

Thursday 26th January

What is the impact of a ransomware incident? We hear stories of having no IT for 23 days on average, of loss amounts per day, of ransom demands in the millions. This is all part of the directly visible impact of ransomware. But there is an invisible side to the impact as well! The mental impact of these incidents on the management, IT staff and other employees of a victim company is huge.

We performed qualitative and quantitative research among ransomware victims, a year after the incident occurred. In this presentation I talk you through our findings and show how different groups in victim organizations experience this mental impact, and what factors contribute to this experience. So join this session if you want to hear how psychology can help us in cybersecurity incidents!

Speaker: Inge van der Beijl

Inge is Director Behaviour and Resilience and Head of Expertise at Northwave, an international cybersecurity company with its headquarters in the Netherlands. Inge has a degree in Social & Organisational Psychology (2004) and Change Management (2011). She has almost 20 years of experience in the security field. In 2008 she has served in Uruzgan as an Operational Analyst. She worked for 14 years at TNO in different roles, from researcher to department manager. Since 2018 she holds her current position at Northwave. Within her unit Northwave helps clients to increase their level of awareness, cyber safe culture and resilience of their organisation. As a side tasks Inge takes part in Northwave Computer Emergency Response Team as lead negotiators during ransomware incidents.

Hackers Without Borders – For A Better World In Cyberspace

This is a hybrid event: there are limited tickets to join us in person or listen in over Zoom.

With cyberattacks globally on the rise, organisations are needing to invest more in securing themselves against such threats. These investments, based on business objectives, frameworks and assessments, help to secure organisations against online threat actors.

As demonstrated by the cyberattack against The Red Cross in January this year, non-profit organisations operating for the public good are not immune to these threat actors. Relying on volunteers and donations, they’re often not in the same position to invest in strengthening their security posture as government entities and companies are.

Hackers Without Borders is an international humanitarian association that provides emergency assistance to non-governmental institutions in the event of crises and disasters related to cyberattacks.

Speaker Bio:

Julian Wendt is the APAC representative of HWB and Senior Security Consultant | CISO at The Instillery.

Join us from 5pm for drinks, snacks and networking with Julian’s talk beginning just after 5.30pm

Data Security, Governance and Data Estate Management with Microsoft Purview

Enterprises often store data across multiple cloud providers and cloud services. Ensuring proper use and governance everywhere is a challenge. Microsoft Purview includes a set of solutions for this and more related data governance, compliance, and data security challenges.

This talk will cover the basics of Microsoft Purview, its many components from a high level, deepening into its information protection capabilities.

Speaker:

Andre Camillo is a computer engineer who was always passionate about the value of connections and the network. His career spans more than a decade of IT experience starting with Cisco networking technologies migrating over to network security after understanding the importance of security to users online. He has always been interested in how things work and sees network architecture as crucial to better design, to propose and govern risks and compliance processes.

He has worked with Cisco security, Trend Micro, and other technologies in the field for more than 6 years helping customers understand how these solutions can work in their environments and supporting proof of concepts among other activities. Customers include small, medium, and large businesses in Brazil and more recently in NZ.

As a Security & Compliance Technical Specialist at Microsoft New Zealand, he has been supporting Enterprise and Public Sector entities with securing and achieving their cybersecurity and data security goals with solutions such as Defender for Endpoint, Sentinel, Defender for Cloud, Information protection and more.

In his free time, he runs, plays the piano, and maintains his personal cloud and cybersecurity blog.

Cyber Insurance – The Changing Landscape – 22nd September

An update on the rapidly evolving cyber insurance market

As cyberattacks continue to rise, insuring against the threat is becoming more expensive while coverage levels decline.

Over the past two years cybersecurity threats from data breaches, ransomware, and phishing attacks have been front of mind for many New Zealand based companies. As the attacks increase, recovery efforts have become significantly more expensive. This trend is expected to continue for the foreseeable future. Many of these organisations are reducing their financial risk through cyber insurance. The new challenge they face is staying ahead of changes in premiums and coverage.

Speaker:

Emily Craig
Practice Leader – PI, Tech and Cyber, Chubb Insurance

Automation and simplification for ISO27001 compliance with ServiceNow IRM – 25th August

ServiceNow IRM is an integrated risk management module that helps provide better governance, risk and compliance (GRC) for organisational policies, standards, and procedures.

The IRM module also enhances the ability to handle risk confidently by improving your resilience, gaining real-time visibility, increasing productivity and helping you communicate effectively.

Adwin Singh will explain his IRM journey so far by addressing these questions:

• Why ServiceNow IRM (GRC)?
• What challenges are you addressing with this module?
• How IRM architecture works for inherent exposure, vulnerability and threats to internal goals and objectives, mapped to external legislation and regulations.
• What are the benefits and why?
• What’s next within our journey?

Speaker Bio:

Adwin Singh, Chapter Lead – Security (GRC) Certification and Accreditation at Spark.

With 20+ years of experience in Security Risk Management, Security Governance and Security Compliance, focused on helping organisations across multiple sectors regarding compliance objectives to standards such as, ISO standards, NZISM, PCIDSS and ISAE3402 (SOC).

Don’t Get Popped: Third Party Risk Management Do’s and Don’ts – 28th July

Third party risk management is a regulatory requirement in most highly regulated industries and good practice in all industries. Contemporary approaches are mired in lengthy and complex assessments of the security controls of the third party and do nothing to manage cyber risk to the organisation. In this session, Eghbal and Nabeel will share their experience of implementing third party risk management and will discuss how best practices may drive greater value for your organisation.

About the speakers

Eghbal Ghazizadeh

Eghbal is Group Information Security Manager for Mercury NZ and leads the security program to earn stakeholders’ trust and fuel the company’s growth. Eghbal also helps shape cybersecurity practices by teaching at AUT University and sharing knowledge through writing, public speaking, and community projects. He has been hands-on in many areas of cybersecurity and IT and now focuses on strategy and leadership, treating security as an enabler that helps people and companies achieve their goals.

Nabeel Albahbooh

Nabeel has multinational leadership and consulting skills with 17+ years of experience in cybersecurity across the Middle East, Europe, and Australasia. Nabeel joined Datacom last November as a Principal Cybersecurity Architect, leading various security projects and initiatives, including Zero Trust Security, Security in Project Management, Security Architecture, and Security Standards Development. Nabeel holds a Master’s degree in Computer and Information Engineering.

Finance Sector Intelligence Sharing – 26th May

The Financial Services Information Sharing and Analysis Center (FS-ISAC) was created in response to a US Presidential Directive in the late 1990s and has grown over the last 20+ years to become the only global cyber intelligence sharing community focused on financial services.

With hubs in the UK and Singapore and membership drawn from more than 70 countries, it provides financial institutions – and in turn their customers – with an intelligence platform and trusted peer-to-peer network to identify and address cyber threats.

Regional Director Lachlan Pope is visiting NZ in May and will share how the organisation works to ensure resiliency and continuity around the world, the value of a dedicated ISAC for industry sectors and how exercises such as the recent ‘live fire’ Locked Shields event can bring benefits for cybersecurity teams.

About the Speaker:

Lachlan Pope | Regional Director, ANZ & Indo-Pacific

Lachlan was an Entrepreneur having started a number of successful businesses, with a BSC-Applied Psychology and an MBA. In his 20+ year career, he had worked primarily in the FMCG, Finance, and Health Sectors. The common link has been fulfilling leadership roles that drive businesses forward by valuing each individual relationship and creating a culture of success. Lachlan is excited to be involved in the expansion of FS-ISAC in Australia, New Zealand & Indo-Pacific.

Common Issues with Azure Security – 28th April

For our April 2022 Chapter event, we’ll be having a candid conversation about what goes wrong in Azure environments. Scary? Maybe. Useful? Definitely.

Questions we are addressing:

– What are the most common NZ misconfigurations being seen in production?

– What specific NZ challenges are there? (NZISM compliance, etc.)

– What are the top categories of protection to think about when going into Azure?

Please bring your questions and prepare for active discussion on common cloud security failings.

Speaker Bio:

Blaise St-Laurent – Director of Cloud Security

I’m the Cloud and Architecture Lead at ZX Security. I’ve got 20+ years’ experience in security, on both sides of the red/blue team boundary. Pivoted from network security to cloud 3 years ago as I thought the lifespan on most private data centre presences was severely limited. I’m cloud agnostic, working in a number of different public cloud environments including Azure, AWS, Google and Oracle.

5 Wicked Cybersecurity Problems for 2022 – 24th March

Wicked Problem: Lacks clarity in both aims and solutions, the problems are subject to real world constraints, which hinder risk free attempts to find a solution

The last two years have presented us with a cybersecurity environment that has expanded the attack surface of our networks with teleworking / remote access and new technologies such as 5G. The effects on supply chain have surprising security ramifications, and we have seen a steady rise in ransomware attacks.

In this context, we are going to discuss 5 wicked problems that we may face in 2022, based on the trends we have seen, and the challenges with investigating mitigation solutions, designed to reduce impact in the future.

Speaker Bio – Bryce Antony

Bryce is a Senior Cyber Security Engineer with Advantage in the SOC based in Palmerston North. Bryce has a PhD in Cyber Security and Risk enumeration / Risk management, a Master of Information Security and Digital Forensics and an MBA.

CyberCrime 2022

Human Centred Cyber Security – 27th January

Tackling phishing by moving beyond spam filters and blaming the end user

Phishing attacks cost the global economy US$20 billion in 2021 alone and that number is only projected to go up. Within 10 years, global costs related to ransomware – often installed following successful phishing attacks – are projected to balloon to US$265 billion a year. We are hoping to change that.

Until now, most work aimed at stopping phishing has focused on technological fixes or on what “blame-the-user” approaches. The problem is, neither approach is doing enough.

Technological approaches have undeniably had an impact. Spam filters and similar tools stop about 90% of malicious emails. But that still leaves 10%. Given the sheer volume of phishing emails – 160 million per day – most people are still confronting potentially dangerous emails on a daily or near-daily basis.

Current user-based interventions aren’t solving the problem either. Certainly, education can help people learn to recognise signs an email may be suspicious. However, 65% of companies that have been victims of phishing attacks had previously performed some form of training.

With my team, we want to focus on something new: the individuals involved and the circumstances in which they receive and deal with phishing attacks.

Speaker Bio:

Dr Giovanni Russello is an Associate Professor and the Head of the School of Computer Science at the University of Auckland. Giovanni is directing the Cyber Security Research Programme, a multi-million project funded by MBIE to improve the cyber security stance of NZ and increase the collaboration between NZ and AU researchers.

He is the founding Director of the Cyber Security Foundry, the first New Zealand multi-disciplinary centre in Cyber Security aiming at improving the collaboration between industry and academia. Between 2013 and 2014, he was the funding CEO of a startup targeting the smartphone security market.

He received his M.Sc. (summa cum laude) degree in Computer Science from the University of Catania, Italy in 2000, and his Ph.D. degree from the Eindhoven University of Technology (TU/e) in 2006. He did his postdoc in the Department of Computing at Imperial College London, UK.

His research interests include human-centred cyber security, policy-based security systems, privacy and confidentiality in cloud computing, smartphone security, and applied cryptography. He has published over 140 research articles in these research areas and has two granted US patents in smartphone security.

Happy First Birthday Privacy Act 2020 – 9th December

Come recap NZ’s first year of mandatory breach notifications and recent privacy developments

One year after the long awaited Privacy Act 2020 came into force Emma Pond from Simply Privacy looks at its impact to date – mandatory breach notification, compliance notices, Covid and a couple of big privacy breaches – and what we can expect on the privacy front in the year(s) to come.

Speaker Bio:

Emma has been a privacy professional for over 20 years, with time spent at the Office of the Privacy Commissioner and as an in-house corporate privacy lawyer. After joining Simply Privacy she has advised clients in the privacy and public sector across a broad range of privacy issues, with a particular interest in providing training for Privacy Officers.

How risk quantification can help organisations become more resilient – 25th November

Learn how to quantify risk with FAIR and RiskLens

Cyber security has taken centre stage during the pandemic, more businesses are transacting online and employees have become remote workers. Organisations want to know the likelihood of a cyber incident occurring and the impact to the organisation’s ability to recover and maintain their business objectives. RiskLens, built on the FAIR standard, provides the ability to quantify cyber risks in financial terms.

Speaker Bio:

Ruby Li is an Associate Partner for security strategy, risk and compliance (SSRC) across Australia and New Zealand at IBM Security, focused on helping clients across the Financial Service Sector. She brings 20+ years of experience across consulting and implementation of security solution.

Breaking a Cybercriminal’s Heart: Ransomware Mitigation – 28th October

Ransomware is one of the most active threats facing organisations today, of all industries and sizes. Years after the WannaCry attacks disrupted businesses globally, ransomware infections continue to dominate headlines and business discussions.

The impact of a successful ransomware deployment includes both technical and non-technical challenges and can be crippling to business operations and brand reputation. Ransomware is top of mind for many executives who challenge their security practitioners to provide assurance on limited or no budget.

In this (ISC)2 event we will cover:

• Advanced ransomware techniques require a holistic security risk mitigation strategy from the leadership to practitioners.
• Why being 100% secure is unrealistic, and how to help the C-suite understand this.
• Ransomware prevention best practices with tools and techniques to deploy with your business.

Speaker Bio:

Ray Dussan has over 11 years of security experience leading security teams and helping organisations protect their data and brand reputation across the UK, the US and New Zealand. Ray is the founder of Simplify Security Ltd, a New Zealand-based information security service provider that focuses on cloud security, security assurance, security compliance and security transformation.

Simplify Security offers affordable subscription-based security services and white hat hacker and is on a mission to: 1. Make New Zealand safer; 2. Grow, retain and attract cyber security talent in New Zealand.

Risk Management in an Unfair World – 23rd September

An intro to using FAIR to quantify and manage risk

Factor Analysis of Information Risk (FAIR) is billed as “the only international standard quantitative model for information security and operational risk.”

It provides a model for understanding, analysing and quantifying cyber risk and operational risk in financial terms.

In this session, Marty Rickard will discuss how FAIR helped secure one of NZ’s leading electricity generation company’s OT/ICS environment.

Speaker Bio:

“Marty The OT Security Guy”

Qualified Industrial Electrician
20yrs Industrial Automation / Process Control Engineer
6yrs OT/ICS Security
SANS ICS410, ICS515
Currently Nozomi Networks ANZ/APC Senior Customer Success Advisor

Making Money from Cybercrime – 26th August

The internet has brought us many wonderful things – cybercrime is not one of them. It’s already estimated to be a $1trillion dollar problem and growing year on year with the head of Interpol stating that “more than half of humanity is at risk of falling victim.”

Whilst we wait for normality to return and for the COVID lockdown levels to allow us to get together again face to face, come join our lunchtime Chapter session for a lighthearted look at how to profit from the problem.

We’ll compare starting your own evil empire, building a successful business and investing in crypto and equities markets to build long term wealth. All are welcome and sharing ideas is encouraged.

Speaker Bio:

Chris Hails once worked for Investors Chronicle magazine and has dabbled in equity investing for the last two decades. He’s also started and run two successful businesses but never quite managed to sell out to cash rich venture capitalists.

Microsoft CRSP – The nicest team of security experts you never want to meet – 22nd July

Alan will share some details around the role of the CRSP or Compromise Recovery Security Practice team in Microsoft which provides post breach capabilities, and its offerings around CR and ransomware recovery.

There will be some stories from the field from previous engagements and some advice on how to avoid ever needing their services.

Speaker Bio:

Originally from the UK and with 25 years’ experience in the IT industry, Alan Johnstone has been based in New Zealand since 2005.

The only NZ based member of the Global CRSP team, Alan has worked at Microsoft for two years, prior to that he was employed at NTT Dimension Data and Dell.

An (ISC)2 member for 5 years, he presently holds CISSP and SSCP certification.

Individual, Organisational, and Technological Factors in Phishing Attacks – 22nd June

Phishing scams are responsible for almost one in three data breaches and the cost of ransomware to businesses is estimated at over $8 billion globally. To prevent this, a well-designed continuous security training and educational program needs to be established and enforced in organisations.

Prior studies have focused on phishing attacks from a limited view of technology countermeasures, email characteristics, information processing and securing an individual’s behaviour to tackle existing gaps. In this research, we developed a theoretical model of factors that influence users in the clicking of phishing emails from a broader socio-technical perspective. We applied Protection Motivation Theory (PMT) and habit theory for investigating individual factors accordingly.

Protective controls, such as email proxy, anti-malware and anti-phishing technologies, can give employees a false sense of security, causing them to drop their vigilance because they incorrectly assume such measures intercept all phishing emails before they reach their inbox. The results of this study can be used to design phishing simulation exercises and embedded training for vulnerable employees.

Bio – Farzan Kolini

Farzan is a manager within Deloitte’s Risk Advisory Practice in Auckland. Farzan is also a PhD student in the department of Information Systems at the University of Auckland, New Zealand. His research interests include cybersecurity intelligence sharing, phishing and email security, and national cybersecurity strategies. His works have been published in journals and conferences, including the Journal of Computer Information Systems, Pacific Asia Conference on Information Systems, and Australian Conference on Information Systems.

Bio – Priyanka Ram

Priyanka is a Senior Consultant within Deloitte’s Risk Advisory practice based in Auckland and specialises in Cyber, Privacy, and Resilience. Priyanka has 3 years of professional experience within Cyber Security in NZ. Experience in providing tailored services across a diverse range of business units.

The impact of identity theft and cyber-related crimes – 27th May

The financial impact of cyber crimes on New Zealand is currently impossible to accurately determine. The consensus amongst those involved in assisting victims of these crimes is that there could be as much as $500 million a year being sent offshore as a result of these offences. The ongoing psychological damage to victims however cannot be quantified.

Neil will talk about the charity he works for and what the charity does to assist individuals and organisations impacted by these crimes. Established in 2014 IDCARE is New Zealand’s only support service specifically set up to assist victims of identity and cyber-related crimes.

Speaker Bio

Neil Hallett is the New Zealand Operations Manager for Identity Care Australia and New Zealand Limited (IDCARE). He started this role in April 2020. Prior to joining IDCARE Neil served in the New Zealand Police for 35 years.

During his career Neil undertook many senior operational, investigations and intelligence roles. His last role was as the Senior New Zealand Police Liaison Officer (PLO) for the Americas, based at the New Zealand Embassy in Washington DC.

The Washington PLO post was set up after the September 2001 terrorist attacks. The post’s focus is countering terrorism and transnational organised crime. In this role Neil liaised with law enforcement agencies across the Americas to advance the New Zealand Police Vision – To be the safest country.

Before his Washington role Neil worked at Police National Headquarters in Wellington in a range of roles including investigations, intelligence, major event planning and liaison with national and international law enforcement and intelligence agencies.

Strategic Value Risk Equation (‘SVRE’) – 22nd April

Watch a recording of this session online

Gabriel has leveraged his broad-spectrum background to develop the “STRATEGIC VALUE RISK EQUATION (‘SVRE’)”, an approach for creating business value through effective risk management; and that which enables (1) optimisation of risk profile; (2) maximisation of risk posture; (3) maximisation of risk agility; and (4) maximisation of risk mitigation controls efficiencies.

The SVRE is an approach that can be leveraged to define strategic value aligned security strategy; and security operations management frameworks. Gabriel, at the April seminar, will look to answer the following questions:

• Could security drive value creation and protection of created value? If yes, how?
• Could we, as security professionals, define, maintain, and deliver effective Security Strategy? If yes, how?
• Is there a way to harmonise Risk Management and Security Strategies, as well as Security Operations into a unified Value Management Strategy?

Speaker Bio

Gabriel Akindeju is an innovative and strategic Technology Risk Management and Security Management thought leader with background in Enterprise Technology Risk Management and Enterprise Security Governance and Architecture; Information Systems Management; Instrumentations and Controls Engineering; Electronic Electrical Engineering; PRINCEII and Agile practices.

His overall objectives are to help organisations (1) leverage effective technology risk management and security for the creation of stakeholder values by optimising risk-reward dynamics (i.e. improve Risk Agility and Controls Optimisation Efficiencies), and (2) prevent value erosion via the deployment of effective risk and security operations management framework and processes (i.e. optimise Risk Profile and improve Risk Posture).

Gabriel is skilled in transformational Enterprise Technology Risk Management and Security capability maturity uplifts and have helped various organisations, including in his current role, bootstrap capability maturity programmes through structured yet agile architectural frameworks and processes. He has a special knack for senior leadership engagement and can drive positive uplift in enterprise culture shift through simple, easy to manage and yet effective initiatives.

Gabriel is a prolific innovator and an advocate of continuous improvements through adoption and applications of complex adaptive system integration concepts. He is passionate about the alignment and transformation of technologies; and technology governance and management processes into strategic enablers and competitive differentiators for businesses through risk optimisation.

Gabriel was the winner (one of 2) of the UK’s 2006 best IS dissertation award for his work on RFId, courtesy of the ISACA, UK and was cited in the 2008 edition of Marquis Who’s Who in the world. He also won an Oceania Geographic Region CRISC award in Dec 2012. More recently he was cited in the Volume 4 (June 2020) of the ISACA Journal – Building Enterprise Security Programme.

Gabriel often speaks at professional seminars and likes to help professional candidates seeking certifications through both formal review seminars and informal mentorship. He enjoys professional teams, who pride in value creation, professionalism, & training and promote personal professional development as tools to defining, creating, and delivering superlative customer experiences.

Winning the Phishing Battle – 25th March

Zero Trust Architecture – 26th February

Well you have all heard the buzz, it’s being going on for years, so what it is really? Is it real? Can it work? According to many vendors, they have the solution for you, just follow their instructions and all will be okay? Really? Currently CEO’s are caught in the “digital transformation” or flight to the cloud mass, because they have to save costs, and stay competitive with others. Is it the right time to even consider Zero Trust Architecture let alone Zero Trust Security?

Is it just a philosophical journey, a heap of vapourware and half promises? Why on earth should you and your organisation even consider, even review the way traditional security is working or not working within your respected organisations? Can you fail changing to Zero Trust Security or related Zero Trust Architecture? How long will it take? What are the benefits? Why should any organisation even consider taking on such a project?

Speaker Bio:

John Martin is a Senior Security Architect for IBM NZ. He is an IBM Expert level certified architect and Open Group Master Architect. His qualifications include Certified Information System Security Professional (CISSP), Information System Security Architect Professional (ISSAP), Chartered Information Technology Professional, and a Certified Information Security Manager (CISM). He is a registered Security Specialist with the British Computer Society (BCS) and member of the New Zealand Computer Society, (Certified Information Technology Professional). He holds a Master’s degree in Managing Information Systems from the University of Salford, UK. He has over 30 years of experience in the various security and privacy fields including healthcare and privacy related environments. He was formally trained originally as a Maritime Radio Officer before joining the Diplomatic Wireless Service within the Foreign & Commonwealth Office (FCO), where he worked extensively overseas for 20 years. After leaving the FCO he joined the commercial world with Marconi SecurTrust as Principal Security Consultant. He migrated to New Zealand with his wife in 2000 and joined Logical Networks as a contractor. He is a retired board member of NetSafe (Internet Safety). A member of the New Zealand Internet Task Force (NZITF). He is the president of the Auckland Chapter for ISC2 and is actively involved with members including those within many sectors.

Preparation for SOC 2 – 28th January

These days, SOC 2 compliance is a common framework and adopted and applied to many organisations. SOC 2 can fit any industry providing any service and storing client data.

This presentation covers many points that will help in the preparation for SOC 2 implementation. To grow your understanding, the presentation will elaborate points relevant to SOC 2 audit like an introduction to SOC 2, report types, report sections, useful resources to plan and start SOC 2 implementation and tips and tricks to simplify the implementation.

Speaker Bio

Ahmad Hawa has a solid technical and strategic experience in information security with experience of more than twelve years across different industries. Ahmad has a computer engineering degree and plethora of security professional certificates like CISM, SABSA (SCF), ISO 27001 LI, MCSE, Security+, ITIL Foundation V3, CCNA, JNCIA-FWV, Tripwire Enterprise Professional. Ahmad has a strong grasp of computer security, assorted operating systems and applications and detailed knowledge and a solid background in audit and compliance, risk assessment (ISO 31000), ISO 27001, SOC 2, vulnerability management and more.

Thursday 10th December

NZ Health Threat Intelligence Sharing

We all have experienced an increase in cyberattacks during COVID-19 and with the rapid digital transformation of healthcare it is natural the cybersecurity risks will increase and affect healthcare organisations and beyond.

We looked at ways to reduce the incident rates, response times, false-positives and to collaborate with other organisations experiencing the same challenges.

The obvious choice was using an open source Threat Intelligence Platform (TIP) – MISP formerly known as Malware Information Sharing Platform, yet a tool is just a small part of actionable threat “intelligence”.

This presentation will give a brief overview of why NZ specific threat intelligence is needed, insights on NZ-based malware and phishing over the last year, how we leverage the TIP to protect New Zealand organisations, risks from the lack of intelligence affecting businesses, what can go wrong and a few Xmas wishes for the NZ cyber community.

All attendees will get an Xmas present, if the threat intel indicates a positive sharing behaviour in the past year ;). Sharing is caring, so we hope you will join us!

Speaker Bio:

Faustin has a rare mix of business, technical and research knowledge, from enterprise business systems to healthcare and nuclear physics research with published research in peer-reviewed journals.

Originally from Romania, Faustin Roman has a multi-disciplinary background, having PhD/MSc studies in nuclear physics and IT in Romania, a Marie Curie PhD fellowship at CERN, Switzerland, and international experience in senior roles across New Zealand, Australian and Austrian health sectors.

He is a “virtual” CIO/CISO for a number of organisations in New Zealand and has initiated and chaired a number of cybersecurity and privacy interest groups.

Focusing on cybersecurity, digital transformation and innovation, Faustin founded Medical IT Advisors in 2016, a New Zealand-based agile advisory organisation specialised in health information security and digital transformation.

Medical IT Advisors has developed community-based cybersecurity initiatives and services, e.g. CyberShield.NZ, PhishOfTheDay, HISF self-assessment.

At the beginning of 2020 Medical IT Advisors developed and is now hosting the only health threat intelligence platform in NZ, working with other industry and government partners to advance the New Zealand cybersecurity maturity. For more information: https://www.meditadvisors.com/solutions/health-threat-intelligence-sharing-platform/

Thursday 26th November

ICS Cyber Security

In the security field, we all appreciate the ever-growing, ever-changing threat landscape. One of the most pressing areas of concerns for many organisations in NZ and around the world is the Operational Technology environment (aka Automation or Industrial Control System environment).

Through commercial (ECL Cyber), community (NZ ICS Cyber TN) and training (SANS GRID) engagements, Peter has gained a wealth of experience to share with those responsible for supporting NZ industrial environments.

This talk will work though best-practice advice, building on common themes from assessments and security monitoring. Some of the touch points will include NCSC/CSSIE/VCSS, MITRE ATT&CK for ICS/ICS Cyber Kill-Chain, OT IR, quick-wins, pitfalls/rabbit-holes

Speaker Bio:

Peter Jackson is an experienced ICS Cyber Security professional. Peter leads the ECL Cyber team of industrial cyber specialists in supporting the industrial sector in NZ. Peter’s background includes control and safety systems experience as a TÜV certified Function Safety Engineer. Peter is GIAC certified in GICSP and GRID for ICS Cyber Security and is working through instructor development with SANS to teach the ICS515 for ICS Active Defence and Incident Response. Peter has spoken at many conferences, nationally and internationally. In conjunction with the SANS ICS and ECL Cyber, Peter established the NZ ICS Cyber Technical Network

22nd October – Forensic investigations – Campbell McKenzie

6th November (Privacy Week) -The issue of ‘consent’: barriers to safeguarding children’s data – Dr Caroline Keen

Thursday 24th September

Make SIEM great again!!

This presentation will cover various topics that are SIEM related, debunk some of the misconceptions of what SIEM is or isn’t, what it is good for, as well as providing some ideas on what organisations can do to improve on their “SIEM maturity score” to get the most value out of their investment.

Speaker: Nyuk Loong Kiw

Kiw is a SOC manager with close to 18 years experience in a technologically diverse, telco-centric environment. Kiw’s key areas of expertise are network security and incident response, with extensive experience across a variety of technologies. Kiw has 10+ years of team and technical leadership experience, and he is pragmatic, hands-on, and has a good sense of humor. He moved into the SOC management role in early 2015.

Kiw’s extensive experience includes:

• Building a SOC from a single resource to the largest (40+ to date) and most mature SOC in New Zealand;
• Completing business case, solution architect, design, and implementation activities for the many of security solutions currently deployed in Spark and customers;
• Leading and responding to many critical severity security incidents.

Kiw has a Bachelor of Engineering degree from Auckland University, and is also certified in many industry-recognised security certifications (e.g. CISSP, GCFW, CEH, CCSE etc). He is committed to providing secure outcomes for both customers as well as Spark.

Isolation Tech – changing the rules of endpoint security

For our August (ISC)2 Chapter event we welcome Greg Wyman who will present on isolation tech and the evolving world of endpoint security.

With 94% of all data breaches starting at the endpoint, isolation, containment and elimination technologies are key to preventing attackers gaining a beachhead.

Greg’s session will begin at 12.30pm on Thursday 27th August and will be delivered via Zoom so all are welcome to register and attend. Watch the video playback.

Thursday 23rd July

The Psychology of Phishing

PLEASE NOTE: We’re running our first face to face (ISC)2 Auckland Chapter event in July since the emergence of COVID-19 and tickets are now available. We encourage all Chapter members to follow Ministry of Health guidance and stay home if you’re unwell. Please ensure you are familiar with the Golden rules for everyone at Alert Level 1.

Phishing remains one of the top attack vectors today. Why is it so successful?

Working with the University of Auckland and Cyber Security Foundry, Jacinda Murphy has completed research looking at the issue of phishing email susceptibility. Her work looks at the factors associated with phishing susceptibility, and evaluates the success of training initiatives.

Her 5+ years with Westpac have enabled her to look at these concepts within a financial organisation and develop insights that may help other businesses to improve their cyber security strategies to ultimately reduce their phishing threat. Join Jacinda to learn more about the psychology of phishing on Thursday 23rd July.

Networking starts at 4.30pm. An introduction and summary of the KPMG Cyber Challenge will begin at 5.10pm before our main presentation and Q&A.

Thursday 25th June

Preparing for the new Privacy Act

2020 will see the biggest change to our privacy laws in over 25 years. The new Privacy Act will bring new responsibilities for all organisations. Join Caroline Carver of TwoBlackLabs as she explores the new Privacy Act, how we got here, major changes, and the big impacts for organisations big and small.

Caroline is the founder and TwoBlackLabs’ Principal Consultant. Caroline is a Privacy and Security Risk professional with in excess of 10 years related experience in both the public and private sectors. She is an IAPP qualified Fellow of Information Privacy.

Thursday 28th May

Future Threats Panel: What will the 2020s bring?

For our May (ISC)2 Auckland session, Chapter Treasurer Philip Whitmore will be hosting an online panel event exploring future threats that include machine learning cyber attacks, deepfakes, 5G, quantum computing, adversarial AI and much more.

We welcome Gabriel T. Akindeju, Gaz Eves, Richard Harrison and Rishit Shah who will discuss the evolving technology risk landscape and what the next decade could have in store for us.

Our panellists will discuss:

• “Surveillance capitalism is widely accepted as the price of being online. Have we allowed the proliferation of further invasive technologies under COVID-19 lockdown and is privacy a dying concept?”
• “Are we ready and able to cope with future threats? What will a world of deepfakes, adversarial AI and quantum computing mean in philosophical and practical terms?”
• “The 2020 WEF Global Risks Report downgraded cyber risk and placed climate change front and centre. Are technology risks overblown and we should focus our efforts and investments on environmental and social issues?”

Come join our online panel and hear what the next decade could bring…

Thursday 23rd April

Keeping .nz secure and InternetNZ’s role in the local Internet

Thursday 26th March 2020

IoT- The Pervasive Devil Within

The Internet of Things or IoT embedded devices are smart, listening and communicating, hidden and are too small to be normally seen. Yet, we willingly accept them into our environments without the blink of an eyelid, should we be worried? Are they safe? Have they been certified to agreed standards like the electrical standards for our household appliances? Should New Zealand, like the first draft Australian Government Code of Practice with its 13 principles, have a similar one in New Zealand? Should you be concerned?

Speaker Bio:

John Martin is a Senior Security Architect for IBM NZ. He is an IBM Expert level certified architect and Open Group Master Architect. His qualifications include Certified Information System Security Professional (CISSP), Information System Security Architect Professional (ISSAP), Chartered Information Technology Professional, and a Certified Information Security Manager (CISM). He is a registered Security Specialist with the British Computer Society (BCS) and member of the New Zealand Computer Society, (Certified Information Technology Professional). He holds a Master’s degree in Managing Information Systems from the University of Salford, UK. He has over 30 years of experience in the various security and privacy fields including healthcare and privacy related environments. He was formally trained originally as a Maritime Radio Officer before joining the Diplomatic Wireless Service within the Foreign & Commonwealth Office (FCO), where he worked extensively overseas for 20 years. After leaving the FCO he joined the commercial world with Marconi SecurTrust as Principal Security Consultant. He migrated to New Zealand with his wife in 2000 and joined Logical Networks as a contractor. He is a retired board member of NetSafe (Internet Safety). A member of the New Zealand Internet Task Force (NZITF). He is the president of the Auckland Chapter for ISC2 and is actively involved with members including those within many sectors.

Thursday 27th February 2020

Creating a One Page Cyber Strategy That Works

Richard Harrison will discuss how to effectively understand and manage risks in a healthcare setting

Richard is a global cybersecurity leader who understands security balanced against the demands of users and in a healthcare setting, patients. He has overseen and built a spectrum of security services including strategic consulting, cyber defence, digital identity, response and remediation services, and managed security services.

At healthAlliance he is focused on building and implementing an information security transformation strategy and programme designed to embed robust and effective governance over cyber security and risk and develop the capabilities required to effectively implement security controls. The aim is to improve visibility into the environment and know the unknown; ensure security by design from initiation, design, build and operate and excel in the basic areas of security hygiene. We communicate, educate and build awareness of cyber security risks, changing behaviours and culture as a consequence.

Richard supports healthAlliance’s DHB stakeholders to navigate the challenges posed by cyber threats, understand the risks and take effective measures to manage them.

2019 Event Calendar

• 24th January 2019 – Ransomware Detection and Defence Techniques – Tim McIntosh
• 28th February 2019 – Andy Prow on building security success with Aura and RedShield
• 28th March 2019 – Privacy for the 21st Century – Updates on the NZ Privacy Bill – Daimhin Warner
• 30th April 2019 – Achieving ISO 27001 certification in New Zealand – Jerry Tiriwawi
• 23rd May 2019 – Federated Identity – Eghbal Ghazizadeh
• 27th June 2019 – Security awareness video making group challenge – Chris Hails
• 25th July 2019 – Industrial/OT Cybersecurity – Bhojraj Parmar
• 22nd August 2019 – NZ SOC – Nyuk Loong Kiw
• 26th September 2019 – PCI-DSS – Dr Rizwan Ahmad
• 24th October 2019 – Phishing and user awareness  – Ray Cabrera
• 28th November 2019 – Cyber Insurance and NZ Incident Data – Petra Lucioli
• 2nd December 2019 – End of year social