Boston has always had a particular talent for calling things as they are. It showed up at the Hynes Convention Center on Wednesday, April 8, as the 22nd annual SecureWorld Boston conference opened its doors and welcomed out of the cold, clear late winter weather the region's cybersecurity community for a two-day run at questions that matter.
The day opened early—with registration live by 7 a.m., PLUS courses underway by 7:30—and by the time the keynote theater filled for the 9 a.m. opening session, the room had the energy of a community that had been waiting to have this conversation.
That conversation started with "Security Catharsis." Moderated by Kyle Bubp (CISO, Avid) and featuring Gaël Frouin (CISO, AAA Northeast), Christopher Rich (BISO, MassMutual), and Praveen Sharma (Head of Product Security, Cubic Transportation Systems), the opening keynote brought up the topics that aren't always easy to discuss.
What followed was a conversation that security professionals have been having at happy hours for years—finally moved to the main stage. Hype versus real threat. Security awareness training as victim-blaming dressed up as a compliance checkbox. The tendency to reach for new tools when the foundations need addressing. There weren't always easy resolutions. This was rarer: permission to say aloud what those in the room were thinking and experiencing.
The rest of Day 1 built on that candor across a full slate of concurrent sessions. Bill Bowman (Operating Partner | CISO, Welsh Carson Anderson & Stowe) made the case for translating security risk into board language in "Breaking into the Boardroom." Randall Jackson (CISO, Income Research + Management) explored what it looks like for security teams to shift from reactive gatekeepers to business enablers. Richard Genthner (CISO, Boost Insurance) tackled shadow AI head-on: ChatGPT, Copilot, Claude, Gemini—tools that didn't knock on security's door before walking past it, and the urgent governance challenge that creates.
The Networking Hall ran all day, giving attendees the chance to connect not only with the deep sponsor roster, but also the region's leading association chapters—ISACA New England, ISSA New England, ISC2 Eastern Massachusetts, InfraGard Boston, WiCyS, and others. These associations form the connective tissue of the New England security community—hosting them under one roof is a lasting SecureWorld commitment.
Day 1 closed the way it should: with a happy hour extending from 4 to 5:30 p.m. in the Networking Hall, letting the day's ideas breathe and grow into new connections. These times prove that sometimes the best debrief sessions don't have moderators.
The Timeless Cybersecurity theme that anchors SecureWorld's 2026 season found its footing on Day 1 in the most direct way possible: by looking to the past, amplifying the human, and building a better, more secure future.
The stage was set for Day 2.
Even at the tail end of Day 2, the energy of attendees carried things through.
The second-half atmosphere of any well-run conference has a distinctive feel. The ice is broken. The mental maps are set. Attendees have completed first-day handshakes and arrived, collectively, at the thing conferences are best for: an unguarded exchange between peers sharing a hard problem and a professional commitment to solving it. By Thursday morning at the Hynes, the Boston security community was squarely in that zone.
If Day 1 of the event set the table—framing this year's Timeless Cybersecurity theme, and igniting honest peer-to-peer dialogue—then Day 2 was about delivering the meal. Day 2 surfaced the conversations that happen when professional facades wear down and real talk emerges.
And honestly? Those are the best kind.
Thursday, April 9, had the feel of a well-worn conversation between people who'd been thinking out loud together for 24 hours. This was a fitting context for a day that would carry the community from keynote insights on security velocity to a powerful exploration of legal implications of cybersecurity.
Day 2 opened with Silas Adams (CISO, Pep Boys) taking the keynote theater stage for a session titled "Security at the Speed of Innovation." Adams explored how the dominant industry narrative—security as the last line of defense, the brake pedal, the department of "no"—has calcified in ways that cost organizations real ground.
Adams came out swinging against that narrative. His argument: velocity-first security isn't a contradiction in terms; it's a design choice. Risk-based controls rather than painful toll gates. Automation as default. Human exceptions by design. A shift-left strategy that iteratively reduces blast radius while increasing delivery speed. He applied the same thinking to agentic AI ecosystems—the north-south and east-west threat surfaces that are keeping security leaders up at night—arguing that you can build systems that allow every line of business to innovate confidently, provided the right guardrails form the foundation.
It's a compelling blueprint, and the post-keynote Cyber Connect in the Networking Hall invited attendees to explore further in real time. Bonus Networking Hall sessions—a SecureWorld special—are consistently rated the "most valuable feature."
Morning breakouts continued to press on familiar pressure points from creative angles. Craig Stanland—author of Blank Canvas: How I Reinvented My Life After Prison—opened the ISSA New England Chapter Meeting with a session on insider threats. After committing an $800,000 fraud, Stanland served time. He came to Boston's security community not to scandalize but to illuminate: insider threats don't always begin with malicious intent. They start with a human under pressure finding small, incremental rationalizations that often bypass policies and frameworks. A bracing start to the morning.
Javed Ikbal (CISO, Bright Horizons) brought a sobering clarity to the ISC2 Eastern Massachusetts Chapter Meeting with his session titled "Pyongyang’s Programmers: Solving Developer Shortage with Kim's Keyboard Commandos." North Korean operatives embedded inside Western IT teams, generating state revenue, siphoning IP, and quietly positioning for future ransomware extortion. A documented, ongoing threat. Ikbal walked through the key TTPs and mitigation strategies in a session that blended the density of a threat briefing with the accessibility of a great conference talk.
In Room 208, Jeramy Kopacko of Sophos explored adversarial generative AI—what he framed as Newton's Third Law applied to digital offense. For every beneficial AI capability, adversaries are engineering an equal and opposite weaponized version. The human attack surface, he argued, has never been more exposed. Deepfakes, synthetic phishing, hyper-personalized social engineering—these aren't theoretical, they're operational.
It's not every conference that assembles a panel including the Chief of the Securities, Financial and Cyber Fraud Unit for the U.S. Attorney's Office for the District of Massachusetts (Seth Kosto), a former national coordinator for cybercrime prosecutors (Brian Levine), the Assistant Attorney General and Chief of the Privacy and Responsible Technology Division of the Massachusetts AG's office (Jared Rinehimer), and Stephanie Siegmann—Partner and Chair of International Trade, National Security, Cybersecurity and AI at Hinckley Allen, and former National Security Chief for the same federal district.
Their lunch keynote, "The Intersection of Cyber Incident Response, Regulatory Compliance, and Enforcement in a Rapidly Evolving Threat Environment," covered territory that security professionals need to understand but rarely hear articulated with this kind of legal precision. False Claims Act exposure when cybersecurity posture doesn't match representations made to the government. The escalation of state AG enforcement. The liability gap between having a plan and executing one under pressure. The uncomfortable reality that incident response isn't just a technical problem—it's a legal event.
Alongside the presentations, the demonstrations, and the Dash for Prizes drawing in the afternoon, this year's conference carried a layer of meaning that no agenda line item could fully capture.
The community paused to remember Andy Smeaton.
A longtime member of the SecureWorld Boston Advisory Council, Andy was most recently CISO at Jamf. Before that, he held senior InfoSec positions across a remarkable range of organizations—Merlin Ventures, Afiniti, DataRobot, MIB Group, The Saudi Investment Bank, and Danversbank among them. He was, in the fullest sense of the phrase, a fixture in the Boston security community.
Those who knew him put it simply: you knew when Andy was in the room. He was quick with a smile, warm in presence, and genuinely invested in the people around him. That combination of expertise and humanity, it turns out, is rarer than it should be. Cybersecurity attracts brilliant technicians. It doesn't always attract people who know how to make others feel seen. Andy managed both.
The inaugural Andy Smeaton Leadership Honor, awarded to Bill Bowman, wasn't a footnote. It was a reminder. The work we do in cybersecurity exists in service of people—their data, their systems, their trust, their futures. Advisory Councils like the one that surrounds SecureWorld Boston are only as good as the humans who commit to showing up, year after year, with knowledge and generosity intact. Andy was one of those people. Andy's absence was felt throughout the two days in ways that are hard to quantify but impossible to miss.
A GoFundMe remains open and available for those looking to support Andy's family and legacy.
Afternoon sessions covered terrain that felt like a natural landing point after two days of accumulated insight. Energy in the room, true to form, was candid and considered—exactly the right register for the conversations being had.
Mark Annati (CISO, Commonwealth of Massachusetts Executive Office of Economic Development) offered something refreshingly grounded in "Behind the Prompt: A CISO's Practical AI Journey." This was a security leader's honest account of where AI is actually being useful—automating policy work, streamlining threat analysis, and yes, solving everyday problems along the way. Accessible, practical, and the kind of session that tends to generate great hallway conversations afterward.
Kishore Gangwani (Principal Engineer, Application Security, CarGurus) tackled the dual nature of AI for security engineering. Model Context Protocol security, agentic AI risk, the emerging threat surface created by "vibe coding"—but also the genuine upside: faster code review, more scalable pen testing, better signal from AI-assisted detection. The session avoided the binary framing that plagues most AI security conversations. The answer isn't fear or enthusiasm; it's engineering discipline.
Afternoon panels confronted the consolidation question ("The Great Consolidation: Rationalizing the Security Stack") and the perpetual identity-cloud-data trifecta ("The Velocity of Trust"), both of which drew in vendor and practitioner voices in the format that works best at these conferences—structured enough to move forward, open enough for real disagreement to surface.
The final Cyber Connect of the conference—a wrap-up of Thomas Hart's "Putting the Pieces Together" project—was a fitting close. A 1,000-piece jigsaw puzzle of Boston, assembled collaboratively throughout both conference days, with attendees using it as a literal metaphor for the cybersecurity environment: fragmented pieces that only resolve into something coherent when you commit to working together. Hart gathered the community's takeaways from the two days, stitching them into a final reflection that mirrored what the best moments of SecureWorld Boston consistently deliver.
The 22nd annual SecureWorld Boston conference wrapped the way the best conferences do—not with a neat conclusion, but with a set of open questions worth carrying forward.
Timeless Cybersecurity rests on a hypothesis: that beneath all the tools, frameworks, and escalating threat vectors, the core challenges of this work—trust, vigilance, communication, resilience—are stubbornly, usefully human.
The more things change—and they are changing fast—the more that truth remains the same. Technology serves humans. Humans build community. This community makes events worth showing up for—year after year, iteration after iteration.
SecureWorld Boston will be back. See you next time.