DOMINO24: Where Cybersecurity and IT meet the Board Room
Attending the DOMINO 24 conference on May 15-16, 2024, was a fantastic opportunity to learn from cybersecurity leaders and legal experts about the evolving landscape of SEC regulations. The conference emphasized that while public companies are the primary focus, private companies should also prepare for future regulatory changes. My objectives of learning from experts and expanding my professional network were met easily, making the experience highly rewarding.
Bob Zukis, QTE, DDN Founder and CEO, opened the conference with a precise and engaging kickoff session. He emphasized the importance of balanced reporting and preparing for upcoming regulatory challenges. His message was clear: systemic issues require systemic solutions. This set a serious yet proactive tone for the conference, focusing on problem-solving rather than celebration. The opening keynote interview featured an anonymous C-suite executive adhering to Chatham House Rules. A retired Colonel facilitated the session, highlighting communication challenges during incidents due to potential litigation. The key takeaway was the importance of having a battle plan and conducting tabletop exercises. A memorable quote was, "Being 50 percent right is better than 0 percent right." This session underscored the necessity of proactive planning and clear communication through out-of-band secure communication channels.
The deep-dive learning sessions provided valuable insights into various aspects of cybersecurity. The morning sessions included a discussion on cyber disclosures led by a practicing cyber attorney, focusing on materiality as the cornerstone of SEC regulations and the need for robust processes to determine the significance of incidents. The application security session with a CISO from a software security company highlighted the proactive stance of Executive Order 14028 and the challenges of securing applications, particularly with the integration of generative AI. This session stressed the importance of addressing development fatigue and ensuring secure coding practices.
During the sit-down networking lunch, I had the chance to connect with other professionals, and a renowned professor's talk on healing in complex systems was enlightening. They drew parallels between technology and living systems, offering four fundamental principles and addressing the challenges of managing complex technological ecosystems. In the afternoon, the session on reporting the economic impact of cyber risk to the board, led by the CEO of an analytics company, emphasized the importance of demonstrating risk tolerance to the board and understanding the financial implications of breaches. The final breakout session on the incident to materiality provided critical insights into regulatory reporting requirements and the nuances of filing reports based on the nature of incidents.
The EU chapter leader focused on a regulatory update on the EU's Digital Operational Resilience Act (DORA), which provided valuable foresight into potential regulatory trends in the US. The presenter sprints were engaging, and the evening concluded with an impressive display of "systemic entertainment" involving plate spinning with 24 plates, symbolizing the delicate balance required in complex systems.
The keynote on the second day emphasized the need for resilience and recovery plans, stressing that CISA's role is not regulatory but supportive. The AI lessons panel underscored the significance of clean data and the strategic integration of cybersecurity with AI. The CISO panel discussed the inevitability of third and fourth-party risks and the importance of addressing fundamental cybersecurity measures to prevent exploitation of low-hanging fruit.
The DOMINO 24 conference concluded with actionable insights and a strong focus on proactive planning and systemic solutions. The networking opportunities and expert sessions provided a comprehensive understanding of cybersecurity and regulatory compliance's current and future landscape. Our customers should apply these insights by enhancing their incident response plans, engaging in regular tabletop exercises, and staying informed about evolving regulations to ensure robust cyber governance in their professional practice.