The ISO/IEC 27001 is already a universal information security standard in the financial industry. In addition to continuing to maintain the validity of ISO/IEC 27001 certification, we began to think about how to continue to "consciously" strengthen the company's information security. Therefore, at the end of 2024, we overcame many difficulties and obtained the first NIST CSF certification in Taiwan's financial industry.

Through the Cybersecurity Framework proposed by the National Institute of Standards and Technology (NIST), we use the core framework and five implementation levels of the NIST CSF to examine the maturity of the company's information security governance, find our shortcomings in information security management, and then strengthen it in stages according to the risk level and company resources to build a more complete information security management structure.

The bitter blood and tears of introducing the NIST CSF certification process will be shared through this speech. I hope it will bring you inspiration and gain.

Based on the rapid development of AI technology, enterprises now face more complex information security threats.

This course is going to analyze the four major challenges bought by AI technology which are the speed of technological development, system vulnerabilities, data authenticity, and continuous vigilance. It will also explore how to enhance defense capabilities through CTEM (Continuous Threat Exposure Management), ZTA (Zero Trust Architecture), and CSPM (Cloud Security Posture Management).

Additionally, it will share how to integrate SOC, MDR and SOAR to build an information security monitoring and response platform, and how to enhance exposure management and information security resilience through EASM (External Attack Surface Management), BAS (Breach and Attack Simulation), and Incident Response exercises.

Finally, this session will help enterprises grasp AI driven information security trends, establish more comprehensive protection strategies, and ensure operational security and digital transformation development.

The rise of artificial intelligence (AI) presents new cybersecurity risks as its applications expand across industries, from data analytics to automation. While AI enhances efficiency, it also introduces security concerns.

1. AI-Driven Attacks: Hackers exploit AI for sophisticated cyber threats, such as deepfake disinformation and automated phishing, making attacks more deceptive and harder to detect.
2. Data Privacy and Surveillance: AI relies on vast amounts of data for training, often involving sensitive information. This increases the risk of data breaches and misuse.
3. Security Vulnerabilities in Automation: AI-driven cybersecurity solutions can strengthen defense mechanisms, but flaws in AI models, biased training data, or system vulnerabilities may lead to misjudgments and security gaps.
4. Regulatory and Ethical Challenges: As AI adoption grows, balancing innovation with regulation is crucial. Ensuring privacy protection and preventing AI misuse remain key global challenges.

To address these risks, businesses and governments must prioritize cybersecurity, strengthen legal frameworks, and invest in AI security measures to build a safer digital future.

Cybersecurity is essential across all industries and stands as one of the cornerstones of national security in Taiwan. Yet, discussions often center around technical details or attack methodologies, leaving out the real-world challenges defenders face in their daily operations. With limited resources and budgets, the critical issue of how to implement proactive strategies, optimize resource allocation, and maximize defense effectiveness has received surprisingly little attention.

In this presentation, I will explore how to foster a resilient defensive mindset, select and deploy the most effective tactics and tools based on your organization's specific needs, and examine the latest trends in attack methods. Rather than relying on traditional frameworks, we will focus on building a more practical, results-driven defense strategy. Through real-world case studies and firsthand experiences, I will provide actionable insights that go beyond theory, offering concrete, immediately applicable strategies.

Whether you are a business leader, a cybersecurity professional, or someone passionate about the future of digital security, this session will equip you with valuable knowledge to help you optimize your resources and enhance your organization's security posture.

這場演講引用愛德華‧德博諾的「六頂思考帽」模型，並調整其概念，使其適用於現代CISO（首席資訊安全官）及資安領導者的思維框架。隨著數位威脅加劇及科技與業務的深度融合，CISO的角色早已不再僅限於技術專業，更需涵蓋策略思維、財務洞察、風險管理、法規遵循及領導力等多元職能。

演講將透過白、黃、綠、黑、藍、紅六頂思考帽，深入剖析CISO如何在日常資安治理中靈活運用不同視角，以增強決策力、推動跨部門合作並建立資安文化。例如，白帽代表數據驅動的專業知識，協助CISO分析威脅情報並評估系統弱點；黃帽則強調正向的溝通能力，幫助CISO將技術術語轉化為易於理解的資訊，推動全體參與的資安文化。這些思維相輔相成，使CISO在複雜的網絡環境中能夠有效管理資源、控制風險並保持法規合規性。

聽眾將獲得一套實用的結構化工具，以幫助CISO在應對數位威脅時提升韌性，並在日常決策中與企業戰略保持一致。透過靈活應用六頂思考帽，CISO將能夠將資安意識融入全體員工之中，為企業建立更穩固的數位生態系統。

Healthcare organizations handle vast amounts of sensitive data, making cybersecurity resilience critical. With governments pushing cloud adoption and international data exchange, hospitals must also evolve their risk management strategies.

Yet, limited resources make keeping up with rapid tech changes a huge challenge. Before investing in high-end security tools, organizations need a solid review process—otherwise, the infamous 'Swiss cheese model' of security gaps will leave them exposed.

This talk, based on real-world security audits, will uncover common management blind spots and introduce the original 'Cybersecurity Cheese Checklist.' Designed for all industries, this checklist helps organizations strengthen security in practical ways—before employees unknowingly become insider threats.

Peter Drucker’s concept of “what gets measured, gets done” underscores the critical role of measurement in setting priorities and achieving objectives. By deciding what to measure, we define what truly matters, enabling a sharper focus on the actions that drive success. Without clear metrics, it’s impossible to track progress or ensure the job is done right. Metrics provide the structure, clarity, and accountability needed for effective decision-making and meaningful results.

In cybersecurity, the challenge of measurement is even greater. The constantly shifting threat landscape, the intangible nature of digital risks, and rapidly evolving technologies make it especially hard to quantify success or gauge performance. That’s why metrics are so vital—they bring clarity to uncertainty, help assess efforts, prioritize risks, and ultimately enable organizations to meet their goals.

As Generative AI (GenAI) transforms the business landscape, it also introduces new security challenges and risks. In this session, we will explore effective strategies for safeguarding your GenAI initiatives, focusing on building a robust security framework that protects against evolving threats. Attendees will learn actionable approaches to enhance cybersecurity while driving GenAI innovation. This talk is ideal for those beginning their GenAI journey, providing clear guidance on securing your technology and fostering sustainable growth and innovation. Join us to discover how to protect your organization while unlocking the full potential of GenAI.

資安治理不僅是技術與風險管理的課題，更深刻融入組織文化、政策制定與人才發展。透過實際案例，本次分享將探討企業如何結合運營需求與業務目標，逐步實現從資安維運（Security Operations）到資安治理（Security Governance）的轉型。

以 CISO 角度來看，人才培育與專業認證是提升資安成熟度的關鍵。專業認證可幫助快速導入資安框架與最佳實務，並協助企業與客戶及關注方順利接軌，強化風險管理與合規性，提升資安管理體系。資安治理須與企業長期策略對齊，並持續改進。企業應強化風險預測與事件應變能力，運用標準化管理框架（如 ISO 27001、NIST CSF + CDM）及治理機制（如 GRC），確保資安體系具備強大的應變能力，應對各類資安挑戰。

This presentation will delve into the core strategies of Information Security Risk Management, focusing on how to build resilient cybersecurity defenses against increasingly sophisticated digital threats. As enterprises accelerate digital transformation, they face a rising frequency and complexity of cyberattacks. Drawing from Zyxel Group Corporation’s hands-on experience, this session will provide a deep dive into today’s most pressing cybersecurity threats, including social engineering, endpoint security, cloud security, and system vulnerability management.

The discussion will highlight how businesses can conduct comprehensive risk assessments, identify high-risk assets, and implement effective countermeasures. Special emphasis will be placed on practical strategies for Zero Trust architecture and supply chain risk management, equipping organizations with the tools to proactively mitigate emerging threats.

Key Takeaways for the Audience:

Gain critical insights into identifying and addressing the most prevalent cybersecurity threats faced by enterprises.

Master cutting-edge security techniques and best practices for effective implementation.

Learn from real-world case studies to understand the seamless integration of cybersecurity strategies into business operations.

This session aims to enhance attendees' strategic perspective on cybersecurity, empowering them to fortify their organizations’ digital resilience and stay ahead in the evolving threat landscape.

為強化上市櫃公司資安管理，依現行規定，上市櫃公司發生重大資安事件時，應即時發布重訊，且若損失達一定金額，即達到股本 20% 或新台幣 3 億元以上，應召開重訊記者會。如何計算損失，勢必成為資安長，資訊長，及風險管理人員當務之急．這場演講將介紹科技風險管理的最新趨勢 - CRQ 網絡風險定量分析。著重介紹廣為美國上市公司採用的 FAIR 研究機構的 CRQ 方法論。演講將簡介 FAIR CRQ 方法論，說明 CRQ 在法令遵循、溝通風險、協助決策、強化科技風險治理的發展性。提供聽眾與上市公司方法論位前開法令變革做好準備。