Chris Honda
Manager; Security, Risk, & Compliance @ Plotly
Lehi, Utah, United States
Actions
Professional Goober | Head Janitor and Cook for the Honda Household | Sometimes does Security + GRC @ Whistic | Bad at Making Jokes and Writing Bios
Links
Area of Expertise
Topics
In the Driver's Seat: An Intentional Approach to AI Governance
Love it or hate it, AI has largely proved that it is here to stay. While the benefits to individuals and companies varies wildly, it is a safe assumption that it would be imprudent to completely abstain from using AI or recklessly embrace a tool/service because it includes AI functionality.
Operating under the premise that most organizations should consider at least some AI-powered tooling, what considerations should be included to find a healthy risk/reward balance? While the details will be unique to each org, having a carefully designed AI Governance strategy in place with appropriate oversight mechanisms are a must for all.
For example, what extent will GenAI tools like ChatGPT be allowed? Will you have managed accounts that prevent data sharing for model training, or will you rely solely on trust and training to mitigate potential data exfil? In another scenario, will you take a scattershot-approach to integrate a variety of LLMs into your product in a bid for a competitive product advantage, or is a guiding strategy designed to intentionally bolster software in a meaningful way?
In this session, we will discuss and share examples of:
- Specific elements of an effective, maintainable AI Governance strategy,
- Resources to guide in the design and implementation of an AI Governance program, and
- Considerations for extending governance, such as vendor risk management, customer communications, etc.
Finding a Common Language: A Security Primer for Non-Security Teams
Have you ever requested a new tool that would make your job 10x easier, just for the grumpy Security person to decline your request with a terse, unreasonable "No"? There are definitely security teams that may enjoy living this scenario, though countless more of us want to change that reputation, and we are hoping to do so by finding a common language between security and other teams. In other words, when a team understands why the other team works the way it does, a healthy productive partnership is more more likely to emerge and flourish.
In this session, we'll discuss some of the key goals and terms security teams look to accomplish. By the end of our time together, I hope to:
1. Have you conversational in security-speak, comfortable as an effective security translator,
2. Help brainstorm ideas to get your security team security to speak *your* language, and
3. Understand what security teams aim to do and how you can align their interests with yours for a more effective overall operation.
An ISO 42001 Early Adopter's Retrospective
Now that just about every company is all-in on AI, what can we do to make sure we're managing it appropriately in our own organization and those that we work with? You might be familiar with ISO 42001, the newcomer to the global compliance standard family. I helped my company get certified earlier this year and made a ton of mistakes so you don't have to, and want to share my experiences from start to end. Grab a snack and join the conversation and hear how we researched its potential value, got executive buy-in, stood up the AIMS, and prepared for the audit.
Walking the Tightrope: Balanced AI Risk Management
It's hard to believe that it's been almost 2 years since ChatGPT was unleashed on the world and the subsequent wave of AI applications. It seems like almost every company has a strong opinion on AI - for better or worse though, it's here to stay.
Operating under this assumption, what can we do to safely navigate the current environment where everything seems to be AI-driven? Come and discuss your thoughts, opinions, and experiences while we consider AI governance, resources to assess AI risk, and related compliance concerns and observations.
Having Optimism in the Age of AI
This is not a session on the virtues or pitfalls of AI; those angles have been covered extensively elsewhere, nor is this the place to speculate the details on how AI will continue to evolve.
This session is about you - the InfoSec/GRC practitioner. Like our friends in other job functions, we have felt excitement, apprehension, and curiosity for the future of our industry and our contributions towards that future. Just as it is in every other part of life, we can choose to look forward with a 'doom-and-gloom' career outlook. I want to share an optimistic perspective where our opportunities to support, uplift, and contribute are more bountiful than ever. In a world where we can choose between fear and hope, I will speak on the side of hope every day.
Small and Mighty: Making Security Happen in a Small Security Team
A well-staffed, well-funded team is the dream of every security practitioner, though it is often not the case. Competing business needs means that security teams have to wear multiple hats, take on extra projects, and turn down good initiatives to focus on necessities.
Despite some of the difficulties that come with small teams, this is a great position to be in. With limited resources and a solid plan, you can make opportunities to develop relationships and get security done effectively.
In this session, we will:
1. Identify strategies for building strong relationships throughout your organization that will support your security program,
2. Learn how to approach risk management in a balanced manner that encourages cooperation instead of fear, and
3. Discuss strategies to find scalable solutions to problems that won't break the bank.
Making Security Happen Without Being A Jerk
How many times have you heard of security referred to as the naysayers of your organization? The typical security team historically accomplished their goals by saying 'No' to anything beyond the bare minimum required for people to do their jobs. Consequently, we can be seen as a simple cost center that provides just enough value to justify our presence.
This is no longer the case. The rise of cybercrime has necessitated an increased investment in security to manage risk and enable efficient processes. While the security team's reputation has improved, we still have a way to go. By working to close this reputational gap, we can establish security as a critical partner and effective multiplier in the pursuit of accomplishing your organization's mission.
GRC and You: Putting your Career on a Rocket Ship
Many a security practitioner has told me that they see GRC as "the boring, audit stuff". It is true that GRC includes audits and related activities. It also provides those that are willing to learn an abundance of experiences, viewpoints, and skills, similar to how security and software engineering goes deeper than typing code to magically make things work.
A healthy does of GRC experience provides insight into the "why's" and "how's" of critical business operations. This insight enables us to be more effective partners across our organization, deliver more value to other teams, and strategically navigate the ever-changing landscape of threats and regulatory requirements.
Vendor Risk Management 101: Foundations of an Effective VRM Program
What is vendor risk management (VRM), and why should you care about it? An overly-simplified definition is the discovery of risks associated with your service providers and determining how (or whether) to proceed with that relationship. Managing vendor risk is an imperative in our day, with an ever-growing reliance on outsourced services strengthening in conjunction with a rise in data breaches that occur due to third-parties.
Let's explore what both sides of the VRM coin look like, some common concerns from both parties, and how you can make your job easier by nurturing the relationship between your organizations."
Simply Cyber Con '24 Sessionize Event
SAINTCON 2024 Sessionize Event
Bsides Seattle 2024 Sessionize Event
SAINTCON 2023 Sessionize Event
Bsides Seattle 2023 Sessionize Event
BSides SLC 2023 Sessionize Event
SAINTCON 2022 Sessionize Event
Chris Honda
Manager; Security, Risk, & Compliance @ Plotly
Lehi, Utah, United States
Links
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top