Loading…
Subject: Management / Leadership clear filter
Saturday, September 12
 

10:30am CDT

Life After Tier 1: Rebuilding the SOC When Triage Is Outsourced
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
For many medium-sized enterprises, outsourcing Tier 1 triage to an MSSP is positioned to reduce workload, provide 24/7 coverage, and improve efficiency. In practice, it fundamentally reshapes how a SOC operates—and introduces new challenges that many teams are unprepared for.


Outsourcing Tier 1 doesn’t eliminate work—it redistributes it in ways most SOCs are not designed to handle.


This talk examines what happens after Tier 1 is removed. Organizations place significant trust in third-party providers, yet alert volume may decrease while investigation complexity increases. Context is often lost at handoff boundaries, and traditional metrics lose meaning, while new measures—such as mean time to confirm and escalation quality—become critical for understanding performance. Teams that fail to adapt quickly often find themselves with fewer alerts, but greater uncertainty and slower response.


Operational gaps also emerge when systems do not align with MSSP onboarding models. Custom telemetry sources, delayed parser development, and the gap between deployment and monitoring readiness introduce risk that must be actively managed.


Drawing on real-world experience leading a SOC through this transition, this session focuses on how to redesign operations for a post–Tier 1 model. We will explore how analyst roles must evolve from queue processors to investigators, why detection fidelity becomes the most important metric, and how to build feedback loops that continuously improve detection quality.


Attendees will leave with a practical framework for restructuring workflows, redefining success metrics, and improving detection precision.
This talk is designed for SOC leaders, detection engineers, and analysts navigating MSSP integration or considering outsourcing triage functions and aligns with both the Management/Leadership and Security Operations tracks.
Speakers
avatar for Stuart Fairchild

Stuart Fairchild

Senior Manager, Cybersecurity, C Spire
Stuart Fairchild is a Senior Manager of Cybersecurity at a regional telecommunications provider, where responsibilities include leading security monitoring, incident response, and security awareness programs supporting infrastructure for over one million customers. Work focuses on improving detection... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

The Decision Engine: How to Rebuild Security Operations for an AI-Accelerated Threat Environment
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
The queue-based SOC is not a slower version of the future.  It is a structural liability.  


For two decades, security operations has been measured by the wrong things; alert throughput, mean time to detect, SLA adherence.  These metrics are of a queue.  They assume that moving fast enough though enough alerts produces security outcomes.  That assumption has not survived contact with AI-enabled adversaries, exponential telemetry growth, and an accelerating compression of exploitation timelines. 


This talk is about what replaces it. 


The decision engine is not a product, a platform, or vendor pitch.  It is an operating model, a structural redesign of how a security function produces decisions rather than processes alerts.  The mission statement is simple: compress uncertainty faster than adversaries compress time.  Everything else, the detection discipline, the AI architecture, the metrics framework, the cryptographic risk model, is a design decision made against the standard. 


The session covers the three structural shifts that make the legacy model insufficient, the five components of the decision engine operating model, and what the transition looks like in practice, including what fails first, what the hardest organizational resistance looks like, and what early proof points tell you the model is working. 


Specifically attendees will leave with a clear mental model for evaluating their own organizations current posture, a diagnostic framework for identifying where the legacy model is already creating structural risk, and three concrete actions they can take immediately, regardless of budget cycle, platform status, or org structure. 


The talk also addresses the risk that receives the least attention in most security operations conversations: the shrinking half-life of sensitive data.  For organization holding data within multi-year regulatory retention obligations, long lived contractual confidentiality requirements, or enduring intellectual property value, the assumption that exfiltrated data cannot be weaponized for years is eroding.  The question that should be driving triage is not whether a breach occurred, its what the time-to-weaponization of the data involved is.  Most SOCs have no answer to that question.  This talk explains why that gap is a structural risk and what closing it requires.


This is not theoretical framework.  Every element described in this session has been built and validated in a production operational environment, under real constraints, against real adversaries.  The speaker is not standing at the front of the room as a vendor, an analyst, or an academic.  They are standing there as a practitioner who made the transition, knows what it costs, and knows what it produces.
Speakers
avatar for Ren Fellows

Ren Fellows

Manager Cyber Security Operations, REI Co-op
Ren Fellows is the Director of Threat Management at a Fortune 50 financial institution, with over 13 years in security spanning SOC build, large-scale incident response, and zero-day events. Ren's believes the way we've built and lead security operations is due for a fundamental... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Vulnerability Management: The Leadership Playbook
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Most vulnerability programs keep teams busy without reducing risk. Mean-time-to-remediate improves quarter over quarter while the total count of unpatched vulnerabilities climbs. The program optimizes a local maximum: patching speed. This talk presents four strategies for escaping the cycle, and the leadership behaviors each strategy requires.
Strategy 1: Shrink what needs protecting. Every decommissioned environment, consolidated tool, and disabled stale account is one less thing to scan, patch, monitor, or defend. Specific targets exist in every organization: SaaS products nobody canceled after a pilot, test environments that outlived their projects, overlapping tools acquired through inertia. Zero-based security budgeting surfaces surprising candidates for elimination and reframes security from cost center to cost-reduction partner. But decommissioning requires a shared source of truth. When security counts 200 SaaS applications, finance tracks 100 with purchase orders, and IT lists 50 in systems management tools, conversations stall. Building that shared reality across departments is the prerequisite for any attack surface reduction initiative.
Strategy 2: Look beyond scanning. Scanners miss configuration drift, exposed APIs, shadow infrastructure, and short-lived cloud resources that disappear between scan cycles. Pairing vulnerability scanners with endpoint agents, cloud security posture tools, systems management software, and identity providers gives a more accurate picture of what needs attention. This section also challenges the attackers only need to be right once myth. Map it against MITRE ATT&CK: attackers must succeed at reconnaissance, initial access, persistence, lateral movement, and exfiltration. Every stage, sequentially. Defenders disrupt one step. Architectural choke points like SSO create disproportionate defensive returns. Terrain knowledge compounds over time and is impossible for an external attacker to replicate.
Strategy 3: Prioritize with context. Base CVSS scores assume worst-case conditions and mislead patching teams. Combining exploitability data such as EPSS scores and CISA's KEV catalog with environment specifics, including network exposure, compensating controls, and data sensitivity, produces rankings that reflect actual risk. A CVSS 6.5 on an internet-facing authentication server often deserves faster action than a CVSS 9.0 on an isolated test box. When patching teams see priorities grounded in their reality, they trust the process and act on it. The job of a security leader is not to maximize security but to calibrate acceptable insecurity through criteria a business colleague would understand.
Strategy 4: Apply pressure without alienating the teams who do the work. Patching teams are measured on delivery velocity, not vulnerability metrics. Earning a seat in their planning sessions starts with understanding their constraints and what they are trying to ship this quarter. Allies often sit outside security and IT: General Counsel cares about legal exposure, product management about customer trust, finance about cost reduction. Frame requests in terms of their objectives, not your risk scores. If your assessment doesn't change the state of the organization, it hasn't reduced risk.
The talk closes with metrics that measure program health rather than activity, guidance on communicating vulnerability management to boards and executives, and five diagnostic questions attendees take home to assess whether their program is reducing risk or producing reports.
Speakers
avatar for Lenny Zeltser

Lenny Zeltser

Faculty Fellow, SANS Institute
Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk

10:30am CDT

Why Incident Response Plans Fail Under Pressure
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago
Most incident response plans do not fail because the document is missing. They fail because people do. Under pressure, some teams panic and abandon strategy. Others choke, overanalyze, and freeze. In both cases, the plan may be technically sound, but human performance and cross-functional coordination break down.
 
This session explores why comprehensive IR plans still collapse in real incidents, even in organizations with mature security programs and well-documented procedures. Through breach case studies and practical lessons from high-pressure performance, we will examine what traditional tabletop exercises and compliance-driven training rarely test: legal pressure, executive escalation, media scrutiny, conflicting incentives, and the absence of pre-authorized decisions.
 
Attendees will leave with a practical framework for making incident response more resilient. We will cover how to reduce panic through cognitive offloading and automation, how to reduce choking through pre-authorized response paths and role clarity, and how to design adaptive simulations that force teams to make decisions under realistic pressure. We will also discuss how blameless postmortems turn failure into better instincts for the next crisis.
 
The goal is not a better-looking incident response plan. The goal is a response culture that still works when the facts are incomplete, the stakes are high, and every minute counts.
Speakers
avatar for Ron Dilley

Ron Dilley

CISO, Reflex Security
Ron Dilley works at Reflex Security as the Field CISO, focusing on technical evangelism, channel management, and community presence, while pushing the boundaries of what's possible in technology to deliver exceptional value for clients. He is also on the IANS Research Faculty, a speaker... Read More →
Saturday September 12, 2026 10:30am - 11:30am CDT
Swissôtel Chicago 323 E Wacker Dr, Chicago, IL 60601, USA
  Talk
 
Blue Team Con 2026
From $0.00

Get help with the event

Contact event planner Event login
View support guides Find upcoming events
Create an event you'd love to attend!
Explore why organizers choose Sched Success stories
Event App Event scheduling Event registration Event ticketing Sched forms Call for papers Badges Conferences
© 2026. SCHED LLC - All rights reserved - Helping events since 2008
Event Planning Software Privacy Terms
Share Modal

Share this link via

Or copy link

Filter sessions
Apply filters to sessions.
Thursday, September 10
Saturday, September 12
Microsoft Technology Center (Aon Center)
Swissôtel Chicago
  • Talk
  • Training
  • Company
  • Abstract
  • Acalvio
  • Amazon
  • Beazley Security
  • Black Hills Information Security
  • Bloom security
  • Broadcom
  • C Spire
  • Campbell Clinic
  • Coalfire
  • CQURE
  • Critical Path Security
  • Data Defenders
  • Dataminr
  • Daylight Security
  • DHS/CISA
  • EXOS
  • First National Bank of Omaha (FNBO)
  • Flare
  • Fortune 150 Food & Bev Manufacturer
  • GetReal Security
  • Horizon Secured
  • Invisible Technologies
  • LevelBlue
  • Liberty Mutual Insurance
  • Nationwide
  • Netwrix
  • Notion
  • Pixee AI
  • Push Security
  • Rapid7
  • Reflex Security
  • Reversec
  • Revology
  • SCYTHE
  • Semperis
  • Spacewalk.ai
  • SpecterOps
  • StoneX
  • TrustedSec
  • Webflow
  • WiCyS Wisconsin
  • Zelis Healthcare
  • Audience
  • Advanced
  • Beginner
  • Early Career
  • Intermediate
  • Subject
  • Application Security / DevSecOps
  • Career Matters
  • Governance / Risk / Compliance
  • Management / Leadership
  • Physical Security
  • Resilience
  • Security Operations / Tools
  • Threat Hunting and Red Teaming
  • Threat Intel and DFIR
  • Vulnerability Management