Registration & Networking

Welcome/Introductions

The Summit is a collaboration point for the many member-driven professional associations across the region. Hear a brief introduction from Board Members of each of those InfoSec & Fraud Associations as we open the agenda

The State of Cybersecurity 2026: Mapping the Industry, Measuring AI’s Real Impact, and Making Sense of 4,550 Vendors [Discussion Pod #1]

Richard Stiennon, veteran analyst and industry provocateur will kick off the Summit, taking us on a data-rich tour of the entire cybersecurity industry—all 4,550 vendors, 660 subcategories, and $12 billion in recent funding. Drawing from his forthcoming book, Stiennon will share insights derived from two decades of studying cyber trends at Gartner and now IT-Harvest—the only firm systematically cataloging the global cyber vendor ecosystem.

This talk is not just about the numbers. Richard will break down the practical implications for executives:

• How to navigate a vendor landscape bloated with similar claims and vague value props
• Where AI is truly being built in cybersecurity—what’s real, what’s noise, and what agentic AI might change
• What vendor origin says about product capability, reliability, and alignment with enterprise needs
• Why vendor consolidation isn't the answer—and what to do instead

He’ll also spotlight key global dynamics, such as Israel’s IDF-fueled innovation engine, Germany’s vendor loyalty culture, and the emergence of AI Security as a distinct and fast-growing segment.

If you’ve ever asked “What should I actually be paying attention to in cybersecurity right now?”—this is your answer. This session will set the tone and context for the day, offering a strategic foundation for every discussion that follows.

When Cyber Hits the Fan: Who to Call, What to Share, and How to Get Real Help [Discussion Pod #2]

John Felker, former Assistant Director for Integrated Operations at CISA, will lead a discussion to cut through the confusion. Drawing on decades of leadership across government, military, and private-sector cybersecurity, Felker will explain how key agencies actually fit together, when each should be engaged, and how organizations can build relationships before an incident occurs.

When a serious cyber incident unfolds, most security leaders face the same problem: who do you call first, what do you share, and how do you get meaningful help fast? Between CISA, the FBI, Secret Service, regulators, ISACs, state fusion centers, and InfraGard, the landscape can feel fragmented—especially under pressure.

He will also address a major shift in the cyber landscape: in many cases, the private sector now develops threat intelligence as fast as—or faster than—the government. As AI, quantum, and nation-state activity accelerate risk, effective defense increasingly depends on trusted two-way collaboration.

The moderated discussion to follow will focus on real operational scenarios: when to call CISA vs. the FBI, how to engage government partners without triggering unnecessary scrutiny, how ISACs and InfraGard fit into an enterprise threat-intelligence strategy, and what practical steps CISOs can take to build trusted relationships before an incident occurs.

Inside the Mind of the Adversary: Espionage, Negotiation, and the Battle for Digital Control [Discussion Pod #3]

Kurtis Minder has spent the last decade doing what most cybersecurity professionals only read about—negotiating directly with cybercriminals, including ransomware gangs, nation-state affiliates, and digital extortionists. As the founder and CEO of GroupSense, Minder built a world-class cyber espionage team, managing over 4,000 personas in multiple languages. He helped victims navigate headline-making ransomware attacks, and briefed everyone-from Congress to the Intelligence Community.

In this gripping, TED-style keynote, Kurtis draws from his new book, Cyber Recon, and his real-world experience leading some of the largest ransomware response efforts globally. He’ll walk attendees through the tradecraft of cyber reconnaissance, the nuances of engaging threat actors using mindful negotiation, and what it really takes to protect your organization in today’s hostile digital landscape.

Blending operational insights with personal stories—from fake identities like “Vinny,” to briefing Congressional subcommittees—Kurtis offers a rare, behind-the-scenes look at the human element of cyber conflict. Whether you lead security for a Fortune 500 or a regional bank, you’ll leave with concrete lessons on digital risk, negotiation, and resilience in the age of cybercrime.

The CVE Ecosystem Today & the AI Agents Burning Watts to Fix It [Discussion Pod #4]

Tim Rohrbaugh, back at NEACS by popular demand, has taken a very deep look at the CVE pipeline (Common Vulnerabilities and Exposures), its 429 CVE Numbering Authorities (CNAs), timelines of reporting, and the ecosystem of scores, updates, and rankings. 

News Flash: Everything we know about CVEs is wrong.   

The CVE pipeline is bursting at the seams—and the downstream ecosystem that enterprises rely on to make sense of it (CVSS scores, vendor advisories, scanners, ticketing) is lagging, inconsistent, and noisy. Meanwhile, security teams are asked to do more with less while the volume of new "Published" and Updated CVEs are relentless. 

In this session, Tim explores what’s fundamentally broken—then shows how cyber leaders can deal with it.  He will demonstrate how small teams can stand up trustworthy, domain-tuned synthetic-reasoning agents (AI) to shoulder the grunt work for quality analysis that can give teams focused daily updates to protect systems and data. 

Participants will learn: 

• Where the current understanding of CVE/NVD/scorecard is broken—and what to stop trusting and start questioning.
• How to build “home-grown” AI assistants that prioritize, explain, and script fixes safely.
• How to use Distillation to make efforts highly accurate without exposing sensitive  details

Lunch & Solution Showcase Networking Discussions

Participants will enjoy a lovely full hot lunch while connecting with the thoughtful Solution Providers who are supporting the community at the Summit!

It’s Not Just Bad Hygiene—It’s Criminal Negligence [Discussion Pod #5]

What the Largest Bank Fine in U.S. History Means for Cybersecurity Leaders

Presented by: Special Agent Carlo Nastasi, IRS-Criminal Investigations
Moderator/Framing Remarks: Michael Hiskey, Founder – CxO Security Forum

IRS-Criminal Investigations will talk us through what started as a routine money laundering investigation and then became the largest criminal BSA case in U.S. history: TD Bank pled guilty and paid a record-breaking $3 billion fine for failing to detect and report financial crimes between 2018 and 2024. But this wasn’t just a banking compliance failure—it was a breakdown of fundamental controls that cybersecurity teams should recognize as eerily familiar: weak identity verification, outdated monitoring tools, no internal escalation, and massive blind spots in onboarding.

With the passage of the AI Clarity Act and GENIUS Act, any company involved in digital asset transactions—especially fintechs and crypto-related entities—will now fall under the Bank Secrecy Act (BSA). That means cybersecurity functions may be criminally liable if they fail to detect malicious or illicit behavior.

This session reframes cybersecurity risk from “fear of breach” to fear of prosecution. If your organization touches crypto, stablecoins, or manages digital financial flows, this talk is your wake-up call. Learn what went wrong at TD, how BSA violations can stem from cyber failings, and what proactive cyber leaders should do now to protect not just their companies—but themselves.

Agentic AI Meets Zero Trust: What Actually Breaks—and How to Fix It [Discussion Pod #6]

Presented by:  Josh Woodruff, Author, Agentic AI + Zero Trust

In the rush to deploy autonomous/semi-autonomous AI, Community Members have shared their doubts that existing identity, data, and control frameworks are ready. Drawing from years of research for his book and field experience, Josh will share:

• Why most agentic AI initiatives fail operationally, not technically
• How Zero Trust principles must evolve for AI agents, workflows, and non-human identities
• Where security teams need to rethink identity, authorization, and monitoring
• What CISOs and CIOs can do now to avoid costly architectural mistakes

This session blends short-form insights with moderated group discussion, focused on immediately actionable takeaways for enterprise leaders.

Degrees, Certs & Entry-Level Grit: What Cyber Grads Can (& Can’t) Do For You
[Panel]

This panel discussion features a real-world exchange between cyber educators and industry leaders. Professors will share how they’re designing programs with hands-on labs, industry-funded projects, and even high school hackathons. CISOs and CTOs will weigh in on the “last-mile” problem: grads with zero experience, mismatched expectations, and a professionalism gap that’s hard to ignore.

With over 700,000 unfilled cybersecurity jobs in the U.S., you’d think the hiring problem would solve itself. But here’s the rub: cybersecurity programs are churning out grads, and CISOs still ask, “What can they actually do on day one?” Are they SOC-ready? Do they understand fraud prevention, governance, compliance—or even what cybersecurity is?

We’ll dig into big questions:

• Are four-year degrees still the gold standard—or are certs and bootcamps the smarter play for mid-career upskilling?
• How do you hire interns and set expectations when “everyone is busy”?
• What can companies do (without breaking budgets) to actually shape the talent pipeline?
• And how can we close the generation gap without lowering the bar?

Come for the honest dialogue, stay for the practical takeaways—and leave with a few ideas for fixing a system that isn’t working for educators, employers, or students.

The Next Breach Won’t Look Like the Last One: Preparing for What You’re Not Measuring [Discussion Pod #7]

Every security program today is optimized to prevent the last breach.

The controls, dashboards, budgets, and board conversations are all shaped by yesterday’s incidents—ransomware, phishing, endpoint compromise. But the next wave of risk is already forming outside those models: non-human identities, AI-driven decisioning, supply chain entanglement, and silent data manipulation that doesn’t trigger alerts.

In this closing session, we’ll challenge a dangerous assumption: that improving today’s controls will protect you from tomorrow’s threats.

This discussion will explore:

• Why most enterprise security programs are overfit to known attack patterns
• Where visibility is breaking down (AI agents, APIs, third-party logic, machine-to-machine trust)
• How attackers are shifting from disruption to subtle manipulation and persistence
• Why traditional metrics (MTTR, patch SLAs, alert volume) may be giving false confidence
• What leading organizations are doing to rethink detection, trust, and resilience before the next wave hits

This is not a prediction talk. It’s a reality check. Expect a fast-paced, candid discussion that forces a simple but uncomfortable question:  What risks are we blind to—because we’re not even looking for them?

Closing Discussion & Networking

Stay & Connect: Informal Networking + Solution Showcase
Before hitting the road, grab a coffee and take time to connect. Trade insights with peers, chat with Solution Providers, and follow up on the ideas sparked throughout the day.

No panels, no pitches—just real conversations to wrap things up right.