Cecilia Brisuda & Maureen Gallagher

With the scarcity of skilled cybersecurity professionals and the ever-growing risk of breaches, cybersecurity tech experts are overextended, and it’s time to start looking for non-technologists who can fulfill security needs. Cybersecurity teams need to develop relationships with non-technical team members who can help improve their company’s security posture and advocate outside IT for the importance of security.

This is where lawyers come in. Lawyers and cybersecurity professionals have the same goals and mindset; they protect the client, reduce risk and do so without breaking operations. They are natural fits for each other. Cybersecurity experts can and should leverage their legal teams.

This presentation will argue for the value of cooperating with lawyers outside responding to specific legal problems. Examples of ways lawyers can be part of cybersecurity teams will be discussed, including running tabletop exercises, organizing security training, advocating to business leaders for security tools, and funding and facilitating incident response. These topics will be presented through the lens of the experiences and successes of the presenters (who are cyber incident response lawyers).

Finally, the presentation will share specific tips for integrating lawyers into cybersecurity operations. These will include how to onboard lawyers into a team and communicate effectively with them. Attendees will leave with concrete steps to take to expand their workforce and capabilities.

Stella Camacho

Building infrastructure on the cloud is very different from building workloads on premise. This is why security in the cloud is very different from on-premise security.

The main factors to consider are: Cloud environments have a shared responsibility model between the organization and the cloud providers; there are several different cloud providers, each with different security services; and cost is a major factor in building cloud environments due to the pay-as-you-go model.

Due to the complexity involved in securing cloud environments, it is critical that organizations follow recommended best practices. In the presenter’s 14 years of building and managing cloud environments, they found that building a Cloud Center of Excellence (CCOE) practice is the most effective way of properly securing the cloud workloads.

In their last two roles, the presenter successfully built the CCOE practice for the organization and established standard procedures for security best practices across the organization. Earlier this year, they were invited by Amazon Web Services to present at its She Builds Tech Skills Program. However, that was only focused on one company and one cloud provider.

The presentation for WiCyS 2025 will be company-agnostic, and the scope will include security for two to three cloud providers. The most important piece of this talk is managing the human aspect of building a CCOE practice. These cannot be found in any technical document.

Vani Mittal & Geetu Garg

Isaac Asimov once said, “Any sufficiently advanced technology is indistinguishable from magic.” When ChatGPT first arrived on the scene, it felt like magic. Ask a question, get an answer —simple. But the novelty is wearing off. Can Gen AI do more than just answer questions?

Real-world problems are complex, dynamic and often ambiguous. Imagine planning a meeting where everyone’s schedules are a tangled web of conflicts and commitments. Instead of just suggesting meeting times, what if it could become a personal secretary, coordinating schedules, finding the perfect room and even sending out invites?

Introducing AI agents, the digital James Bond, always ready for adventure and solving problems in style. AI agents can think on their feet, navigate complex situations, and tackle high stakes tasks with ease. They are always ready for the next mission.

But as AI becomes more sophisticated, so do the risks. AI agents present several unique concerns that go beyond those associated with GenAI in general. These concerns stem from their autonomous, decision-making capabilities and deeper integration into complex, real-world environments. Key issues include loss of control and accountability in autonomous decisions, heightened security risks like privilege escalation and manipulation, and the potential for biased actions without human oversight. AI agents also handle sensitive data, raising significant privacy concerns; and the ability to adapt and self-modify introduces unpredictability and trust challenges. Over-reliance on AI agents can result in serious consequences, making it essential to address these risks to ensure responsible and ethical deployment.

Shreya Choubey & Canan Eski Boz

The ever-growing “everything as code” approach has given people the ability to imagine and design new ways of baking security into everything they do. When it comes to managing infrastructure and access in the public cloud, it becomes crucial to stay secure and compliant and to do that at scale in a repeatable and testable manner.

This talk aims to share real-world experience on how to achieve that state via Security as Code (SaC). Attendees will leave the talk with a solid understanding of the main pillars of SaC in the public cloud space: Infrastructure as Code, Compliance as Code and Policy as Code. They also will learn about some of the available tools and procedures to achieve this, as well as how they can start implementing those practices in their own organizations.

Junibel De La Cruz

Gamification is an interactive technology that enhances the user experience by designing modular objectives into game-design elements. In the same manner, gamification has the potential to enhance cybersecurity awareness for neurodiverse individuals and people with disabilities by using assistive technology (AT) to achieve reward-system objectives. To further understand, the presenters conducted a detailed systematization of knowledge (SoK) on 71 peer-reviewed publications concentrating research efforts to increase cybersecurity awareness through accessible gamification. The findings of this SoK established fundamental components required to address the inclusive nature of gamification in cybersecurity and thereby identify requirements gathering objectives for impacting increased results in raising cybersecurity awareness. After a methodical process of iterative screening and manual analysis in this targeted subject matter, the presenters found that only nine out of the 71 gamified cybersecurity research initiatives directly address accessibility and the implementation methods for game-design elements that would facilitate accessible user experience. Moreover, a cross-functional learning management system and modular reward system can be optimized by data formulated through a technology acceptance model for people with disabilities using AT. Lastly, the presenters propose a modular training format should effectively engage and facilitate user interface and user experience despite context-oriented limitations on physicality.

Shannon Garcia

Sometimes destiny pulls a person in or, depending on how someone looks at it, pushes an individual out of the nest so they can become the person they were destined to be. For individuals who have been flirting with the idea of leading a cybersecurity consulting team or perhaps even starting their own cybersecurity consulting company but are torn on making the leap, listen to the presenter’s journey. The hope is that it will help attendees think through and prepare should they wish to explore this avenue.

Cheri Hotman

In today’s rapidly evolving cybersecurity landscape, the role of the chief information security officer (CISO) is more critical than ever. For those seeking the pathway to the C-suite or stepping into the job, this presentation will delve into the real multifaceted responsibilities of CISOs and highlight common challenges, the job’s day-to-day realities, and what essential skills and qualifications candidates need to be successful and long-lasting. Through real-life experiences and case studies, this presentation will uncover the realities of being a CISO and provide an understanding of the balance between strategic planning and operational responsibilities, and the importance of continuous learning and adaptation in this dynamic field. Aspiring CISOs will understand the numerous challenges they can expect to face in the position, from sophisticated cyber threats and regulatory compliance to those not frequently mentioned that often create issues for leaders.

Wherever aspiring cybersecurity leaders are in their career path, if landing a CISO role is an objective, this presentation will demonstrate that now is the time to start collecting the building blocks to be successful. The skillset required to be an effective and tenured CISO is diverse and includes not only technical acumen and strong leadership abilities, but it also requires specific qualifications and a strategy to bridge to higher management and stay there. Real-world examples will illustrate how these skills are applied in organizations and where to gain critical experience from current positions to rise to the CISO level.

Megha Jakhotia & Varsha Dwarakanathan

Who will pass the ultimate test of cybersecurity or fall prey to the clever schemes of a threat actor? Social engineering and phishing attacks can compromise even the most seemingly secure accounts, thereby putting sensitive information at risk. The statistics are alarming: 68% of breaches involve a non-malicious human element, such as a person falling victim to a social engineering attack or making an error.

What if one could look into the mind of a threat actor?
Join this unique presentation that will take attendees inside the world of cybercrime to explore the intersection of social engineering, technical exploits and physical tactics. Through a combination of real-world attack scenarios, case studies, interactive examples and quizzes, attendees will gain a deeper understanding of how attackers think and operate.

The presenters will demonstrate how attackers use tools like Gophish, Bash Bunny and WiFi Pineapple to achieve their goals and show how to defend against these tactics. Attendees also will gain a glimpse of threat-modeling and defense-in-depth strategies to protect their digital assets from malicious activities.

This presentation will be beneficial to security professionals, students and anyone interested in threat-actor tactics. By combining threat-modeling with defense-in-depth, attendees will be equipped with the know-how to defend against ever-evolving digital threats.

Zeydi Meyssa

With Kubernetes becoming a vital part of modern cloud infrastructure, securing clusters has become a key challenge. This session focuses on equipping attendees with the knowledge and tools to secure Kubernetes environments effectively. Through real-world examples and practical demonstrations, participants will learn how to address common vulnerabilities, misconfigurations and threats that target Kubernetes clusters. The session will cover essential security practices, including securing API servers, managing identity and access control, network security, and deploying threat detection mechanisms like Falco to monitor clusters for suspicious activities. Attendees will walk away with a deep understanding of how to strengthen Kubernetes security in their environments and the skills needed to stay ahead of evolving security challenges.

Vivian Yu, Dr. Laurie Salvail and Jasmine Jackson

Gen Z is stepping up as the next generation of cybersecurity leaders, bringing fresh perspectives, skills, a passion for problem-solving and helping their community stay safe online. The Cyber Education Alliance — a collaborative effort led by Girls Who Code and key partners — is collectively equipping young people with the skills, resources and pathways to thrive in cybersecurity careers. This panel will explore how the Alliance is addressing barriers and offering innovative education and networking-building programs to prepare Gen Z for the evolving cyber landscape. The session also will discuss what drives interest in cybersecurity and how organizations can better engage this generation to build a stronger, more diverse cyber workforce.

Natalia Bakhtina

Where does an organization stand in its quantum preparedness journey? Whether an individual is in early days or in full swing of crypto agility readiness, the presenters will discuss specific strategies to prepare for quantum times comprehensively, effectively and timely. With quantum computing surpassing digital computing performance at the rate of 1.5B times, now is the opportunity to prepare organizations and protect payments from the looming risk of quantum-powered cyber threats. In this session presenters will provide optimal results-driven approaches to incorporate crypto agility requirements into data governance models, IT roadmaps, procurement strategies and security frameworks. Approaching quantum readiness holistically, presenters will share crypto agility best practices and investment requirements to ensure attendees are equipped to deliver quantum preparedness strategy successfully and optimally. The presenters will discuss specific ‘musts’ and ‘nice-to-haves’ to adequately address crypto agility program components from governance policies, vendor products, shadow cryptography and in-house payment processing solutions to third party platforms, data, software development and system configuration. After this session, attendees will be equipped to address quantum computing risks successfully to ensure sustainable crypto agility posture of data, clients, organization and the payments ecosystem.

Mikyla Mickna

Participants will learn about the importance that RSA has had as a cryptographic algorithm while learning why it is not a viable solution for the future, what the plans are for the future and how it will affect them.

Nancy Miller

This session is designed to help aspiring cybersecurity professionals harness the power of AI to accelerate their journey into the cybersecurity workforce. With the increasing demand for skilled professionals, job seekers face challenges such as limited experience, stiff competition and rapidly changing technologies. This presentation will explore how AI tools can be used to develop in-demand cybersecurity skills, optimize resumes, prepare for technical interviews and build an impressive online presence. Participants will discover AI-powered learning platforms, resume builders, job search engines and interview simulators, all tailored to fast-track their entry into cybersecurity roles. By the end of the session, attendees will have actionable insights and tools to enhance their job search strategy, stand out in the competitive market, and be well-prepared for a successful career in cybersecurity.

Tanisha Jauhari

This study sets out to measure race and gender bias prevalent in text-to-image AI image generation, focusing on the popular model Stable Diffusion from Stability AI. Previous investigations into the biases of word embedding models, which serve as the basis for image generation models, have demonstrated that models tend to overstate the relationship between semantic values and gender, ethnicity or race. These biases are not limited to straightforward stereotypes; more deeply rooted biases may manifest as microaggressions or imposed opinions on policies such as paid paternity leave decisions. In this analysis, presenters use image-captioning software OpenFlamingo to identify and classify bias within text-to-image models. Using data from the Bureau of Labor Statistics, the presenters engineer 50 prompts for professions and 50 prompts for actions in the interest of coaxing out shallow to systemic biases in the model. Prompts include generating images for CEO, nurse, secretary, playing basketball and doing homework. After generating 20 images for each prompt, the presenters documented the model’s results, which show biases do exist within the model across a variety of prompts. For example, 95% of the images generated for playing basketball were African American men.

Tristan Mahan

There was a time in her career when doing enough and getting by were all she needed. She did not have ambitions to become a subject matter expert (in fact she dreaded that). She did not want to move into a leadership or managerial role. She was happy to take direction from her senior team members and stay in their shadow, but she felt so much pressure from managers, leaders and peers to work toward “moving up the ladder.” In fact, there was truly a negative connotation to staying put – she wasn’t ambitious; she was stagnant; she wasn’t growing. Was this true about her? Was there something wrong? This talk will be a reflective view into her career journey, how things changed for her (spoiler, they did!), and hopefully provide peace to anyone feeling that unwanted career pressure today.

Dona Maria Jose

Starting a new role can be daunting, especially when transitioning from academia to the professional world. In this talk, the presenter will share personal experiences of entering the workforce — twice as a new grad — facing uncertainties and overcoming initial fears. They will cover essential strategies for thriving early in a career from making the most of a ramp-up period and developing subject matter expertise to building a personal brand and managing career growth. Attendees will learn how to handle failures, communicate their worth and drive their own career path. Additionally, the group will explore the importance of financial management, self-care and navigating workplace dynamics. The presenter also will discuss how cultural changes between different work environments can affect professional interactions and why it’s crucial to help others while growing. This session will provide practical tips for handling the challenges of a first job, fostering long-term success and supporting peers. Whether a new grad or experienced professional, the journey to success starts with one step. Walk through it together.

Chandrani Mukherjee & Shruti Datta Gupta

In a rapidly evolving tech industry, security threats pose a constant challenge to product-engineering teams. Developers need to quickly and effectively resolve reported security bugs. Doing so requires a comprehensive knowledge of security guidelines, coding languages and underlying platforms. However, developers often struggle with accessing up-to-date guidance due to large and sometimes outdated documentation. Furthermore, the disparity between the number of developers and security engineers exacerbates the issue, making it impractical to provide manual, personalized guidance across various scenarios in a scalable manner.

This talk proposes a novel solution leveraging artificial intelligence to provide immediate and context-aware security guidance to developers, thereby bridging the gap between security needs and developer capabilities. It will focus on the use of state-of-the-art AI technology to develop this solution, including prompt engineering, retrieval augmented generation and semantic search. The talk also will delve into how the solution incorporates specific product and organizational contexts, such as the technology stack, prevalent vulnerabilities and established security standards, to ensure that the recommendations generated are both accurate and relevant.

The talk will provide a fresh perspective on leveraging AI to solve organizational security challenges, especially as a means to engage with engineering teams and democratize security guidance. Attendees also will learn different use cases in security where an AI-driven solution can be a better approach and the best practices to keep in mind when developing an AI-based tool.

Madison Thomas

Alongside the explosion of computer science in secondary education comes a need for cybersecurity education materials for educators and engaging curricula for students. The presenters created cybersecurity materials and activities that not only explain its significance but also increase student interest in cybersecurity, a field that is greatly misunderstood. This work is motivated by the large gap they have found – a lack of focus on middle school students – in prior secondary cybersecurity education research. The presenters created, piloted and refined cybersecurity activities for middle school students in various informal learning settings. The activities were designed with active learning and engagement principles in mind such as group activities, physical activities and games. They collected and analyzed data on student attitudes about cybersecurity, self-efficacy regarding specific topics, their engagement during activities, and perceptions of what cybersecurity professionals do in their everyday lives. The items developed from this research provide educators with materials to teach cybersecurity in their classrooms in fun and engaging ways. These findings also will contribute to the knowledge-base of how middle school students perceive cybersecurity and how to engage them when learning about cybersecurity.

Rosielle Vengua

The U.S. cybersecurity workforce gap has reached an estimated high of 750,000 unfilled positions in 2024. The U.S.’s current cybersecurity workforce consists of 26% identifying as non-white minorities while only 24% identify as female. This highlights the untapped potential in reaching out to the U.S.’s diverse groups and communities to address the ever-growing cybersecurity shortage. Also, there is an underlying need to understand the importance of diverse perspectives in cybersecurity to bring forth the necessary creative solutions to defend against the diverse cybercriminal threat. Organizations must gain broader insights into potential vulnerabilities and effective defense strategies from their workforce as a countermeasure to this threat. However, limited data exists on the identification and understanding of men and women of color and white women’s barriers and motivations in cybersecurity. This research study used Eccles et al.’s expectancy value theory (EVT) to explore 17 diverse participants’ cybersecurity career journeys. EVT suggests people’s expectations of success and the value they associate with those outcomes influence their choices and behaviors. When applied to career choice, this theory provided the framework to identify and understand commonalities in motivations, barriers and expectancy in career longevity across the participants of this study. These findings fueled recommendations for change at the industry and organizational levels, such as reframing what cybersecurity is and leveraging the understanding of diverse cybersecurity professionals’ personality traits and influences. Furthermore, organizations need to change their hiring and recruiting practices and transform into a culture of belonging to retain their cybersecurity talent.

Mayra Paredes

Powerful AI can analyze, detect and react against fraudulent activities. A holistic cybersecurity approach to build ethical AI can help mitigate various risks via a high quality, well-trained multimodal AI model that includes threat detection and user and entity behavior analytics that can respond efficiently, effectively and ethically against bad actors. In this talk, the presenter will describe three of the most repetitive challenges presented by AI and how the cybersecurity industry can embrace them to build a proactive response against the threat landscape: AI Ethics: Morality Bias, weaponization, liability stereotypes. Integrate diverse contributors to build this technology; AAA Systems: Authentication, Authorization and Accounting. Build an Ethical core system; Lack of expertise in the workforce: Embrace AI to foster diverse talent.

Sohini Pattanayak

As organizations undergo digital transformation, secure identity management becomes crucial for maintaining data privacy and access control. This presentation focuses on how Okta empowers organizations by providing secure identity solutions that enhance user experiences and improve access management. With Okta’s Universal Directory, Single Sign-On and Adaptive Multi-Factor Authentication, businesses can mitigate risks like phishing and unauthorized access. Additionally, this session will highlight real-world examples where Okta has been implemented to streamline operations in hybrid environments, emphasizing best practices for securing access across remote and on-premise teams. Attendees will learn how to optimize Okta’s capabilities to meet compliance requirements and drive efficiency within their security frameworks.

Jeet Shah

In a rapidly evolving threat landscape, mastering penetration testing is essential to fortifying applications and safeguarding data. This talk offers a foundational yet insightful exploration of pen testing for security professionals aiming to strengthen their defenses. The session will begin by examining the “shift left” versus “shift right” paradigms in security, evaluating how each approach shapes testing methodologies and impacts vulnerability management. From there, they will demystify the essentials of penetration testing — what it truly involves, what it doesn’t, and how it stands apart from other security practices. Attendees will be introduced to key tools used in web application pen testing, essential for efficiently identifying and addressing weaknesses. Through interactive find the bug challenges, participants will engage in hands-on scenarios to recognize common pitfalls and testing blind spots. The session also will explore crucial pen testing metrics, providing a roadmap to measure testing effectiveness and foster continuous improvement. Finally, they will dispel pervasive myths that often mislead or undermine penetration testing efforts, offering clarity on what penetration testing can and cannot achieve. By the end of this session, attendees will gain a comprehensive understanding of pen testing’s vital role within an application security program and leave equipped with the knowledge to approach their organization’s security with renewed insight and confidence.

Johanna Jacob

The demand for a skilled cybersecurity workforce has become a top national priority, yet the supply falls short, with only 69 qualified workers available for every 100 positions employers seek to fill. Building a robust workforce pipeline calls for early engagement in the K-12 ecosystem, especially as K-12 cybersecurity education reaches a critical turning point. A recent study across 11 states with significant rural student populations revealed that only 192 schools offer cybersecurity or computing courses, highlighting the urgent need for targeted strategies to ignite student interest in cybersecurity careers. Cybersecurity competitions have proven to be effective tools for discovering talent and engaging students who may not excel in traditional educational settings. However, rural students are often excluded from these opportunities due to urban-centric participation, unequal distribution of Title I funding, a shortage of qualified teachers and coaches, and other structural challenges. These barriers create an inequitable landscape that limits rural students’ access to cybersecurity education, underscoring the need for inclusive solutions. This presentation addresses these disparities by sharing insights from multiple case studies, spotlighting the barriers rural students face and the untapped potential within these communities. The findings lead to a proposed, scalable strategy for implementing K-12 cybersecurity education in a rural district, aiming to build a grassroots, community-supported model that empowers educators and dispels stereotypes around cybersecurity expertise. Through the use of modular resources, tabletop simulations, and collaborative community involvement, this presentation seeks to pave an accessible and sustainable pathway for rural students to pursue cybersecurity careers.

Charlotte Thumelin

Peek behind the curtain with an insider and examine a comprehensive analysis of the large-scale cybersecurity measures implemented during the 2024 Olympic and Paralympic Games in Paris. With 500 different entities and 548 security events monitored, the session will explore the complexities of managing cybersecurity in a high-stakes environment. Attendees will learn about the extensive four-year preparation process, which included insights from the Tokyo Games, crisis management simulations and site audits to identify vulnerabilities. Key topics will include the challenges of securing open and dynamic venues, the importance of establishing minimum security thresholds across diverse organizations, and effective coordination among stakeholders, including both public and private organizations. The session also will address the significant role of user awareness campaigns in mitigating risks during the event.

Lydia Zhang & Yunfei Ge

In the rapidly evolving landscape of cybersecurity, traditional penetration testing techniques are no longer sufficient to combat modern, complex threats. This session will explore the evolution of penetration testing from conventional approaches to a more advanced, continuous threat exposure management strategy. Presenters will highlight how AI-driven tools are revolutionizing this space by automating vulnerability detection and validation by using the latest and greatest ethical hacking techniques. This will help organizations enable more frequent security testing and shorten their risk windows from years/quarters to days/hours.

Attendees will gain insights into the practical implementation of AI in penetration testing and how it enhances the effectiveness and efficiency of identifying security gaps.

The session also will showcase an AI-driven platform developed by a woman-led team that automates penetration testing, illustrating the future of offensive cybersecurity strategies.

This presentation aims to inspire more women to engage in cybersecurity, particularly in offensive roles, and to contribute to building more robust security infrastructures.

Deepika Kothamasu

Generative AI is the number one priority for companies, but there are concerns. In a recent study by IBM’s Institute of Business Value, a whopping 64% of CEOs feel the heat to jump on the generative AI bandwagon. However, a striking 84% identify cybersecurity as the main roadblock. So, how do businesses keep innovation flowing while ensuring security and trust?

In this session, the presenters will delve into the evolving generative AI threat landscape, exploring emerging cyber threats. They will examine the delicate balance of using data for training AI models while safeguarding data privacy, usage and copyright concerns. AI governance and ethical considerations to ensure fairness and transparency will be explored, offering strategies to address bias and ensure accountability. Join this session to discover how AI can be secured, ensuring that the transformative power of generative AI can be harnessed for the betterment of humanity (no evil AI system plotting world domination!).

Ann Wallace

Yearly compliance and security training often feels like a chore – tedious and disconnected from the real challenges people face. What if there was a way to captivate folks and excite them to learn more about security? The simple answer is storytelling.

This presentation will explore the role of storytelling in teaching security principles and concepts to an audience that might have little interest in the topic. They will delve into the core concepts of storytelling, highlighting what works and what doesn’t. They will share stories of success and failures, providing a candid look at the impact of storytelling on the effectiveness of security education.

Lastly, they will share how these storytelling techniques have been instrumental in shaping the security education program at Okta.

Attendees will leave this session with innovative strategies to make security education more accessible, engaging and enjoyable through the power of storytelling.

Brigette Whaley, Ph.D. & Mary Nusrat

This presentation introduces a novel approach to cybersecurity training through the lens of prompt engineering with ChatGPT. Prompt engineering enables targeted and nuanced AI interactions, creating custom simulations that bolster cybersecurity education. By crafting purposeful prompts, educators and students can engage ChatGPT to generate realistic threat scenarios from phishing attempts to social engineering tactics with incident response drills. This session will demonstrate how carefully crafted prompts can direct ChatGPT to produce nuanced cybersecurity simulations that accommodate various experience levels and learning experiences.

Attendees will learn practical techniques for integrating ChatGPT into cybersecurity education, including methods for generating simulations that mirror real-world cyber challenges. Hands-on demonstrations will guide participants through creating prompts that foster situational awareness and critical thinking, two essential components of cybersecurity readiness. Attendees also will explore ethical AI usage in training contexts, ensuring that AI supports responsible cybersecurity learning.