Dr. Garrett Smiley currently provides oversight and governance for all information and cyber related compliance, risk management, and security within Serco, Inc. The major areas of focus thus far include protecting unclassified federal government data on the technical estate (e.g., DoD CMMC/DFARS 252.204-7012/NIST SP 800-171/171A compliance), helping to maintain our Special Security Agreement (SSA) with the Defense Counterintelligence and Security Agency (DCSA), and increasing overall security for systems.

Curriculum Development – Developed and published dozens of IT and InfoSec related e-learning materials including books, Computer Based Training (CBT)/Learning Management Systems (LMS) courses, exam banks, instructor’s guides, hands-on labs, presentations, and video courses

Cyber Scorecards – increased compliance scores for several agencies as much as 79% in just several months’ time

Dissertation Chair – helped dozens of students earn their PhDs in business and technically focused areas for the past six years

Information Assurance (IA) – Obtained and maintained Authority to Operate (ATO) for hundreds of federal systems

Professional Certification – managed seven of the professional certification programs for (ISC)2, including the CISSP, the gold standard in the InfoSec industry

Professional Development – earned five degrees, including four IT and InfoSec focused degrees ending with a PhD as well as maintaining roughly 50 professional certifications

Program Development – established dozens of programs from scratch for disciplines such as Information Assurance and Supply Chain Risk

Coming soon!

Jayesh Ahire is the Founding Product Manager at TraceableAI where he runs the Company’s API Security initiative. He is the AWS ML Hero, Twilio champion, and maintainer of various OSS Projects like OWASP crAPI and Hypertrace. He is also the organizer of API Security Global Community, AWS UG, Elastic UG, TensorFlow UG, and many other communities in India. His research interest involved Distributed neural computers and Defi. In his free time, he likes to read and these days he is learning to play the piano.

Do the Right thing, shift Left!

We all remember the famous phrase of Andreessen Horowitz, “Software is Eating the world”. It was definitely true at the time, but times have changed. It’s APIs that are now eating the world. Using APIs to expose core business functionality and facilitate service-to-service communication has become standard. Not only it gives us several control points but also makes it easier to deal with complex modern applications. Although, these modern API-driven applications come with their issues like design complexity, visibility, communication, security, etc. One of the major challenges here is properly securing APIs.

It is becoming increasingly urgent as API-related attacks are impacting companies across nearly all sectors, resulting in skyrocketing costs for businesses. In the U.S. alone, the average annual API-related cyber loss is estimated to be USD $12-23 billion. One of the best ways to deal with this is making API security a part of your SDLC.

API Security testing is one of the ways to do that. API security testing helps in finding vulnerabilities in very early stages, giving developers and Product security engineers more time and context to build the resilient systems. In this talk, I’ll show you how to easily integrate API security testing into your SDLC, to build secure applications and APIs using various OSS and Enterprise tools.

Author of “My Time at the Clinton White House” & well-known keynote speaker. Colonel Mark Gelhardt has over 45 years of experience in executive level management both Information Technology & Cyber Security. A retired Army Officer and Combat Veteran. While in the service Colonel Gelhardt was the CIO/CISO of the Clinton White House where he managed all the classified Automation and Telecommunications for the President, VP, the White House Staff, and the Secret Service.

Since joining the private sector Mark has held positions that includes – CIO/CSO at World Airways (largest US wide body, long hall, charter airline). CTO/CISO at InterCall/West (world’s largest conferencing company). CISO at TravelClick – a global SaaS company in the Hospitality space. As a consultant Mark was the Acting CISO for both NCR and the Georgia Lottery. As a contractor Mark was the Program Manager (PMO) for a large classified contract with the CDC. Currently, Mark is the SVP Global Technology Governance for US Bank/Elavon.
As a volunteer Colonel Mark Gelhardt is the Chief Information Officer (CIO) for the Georgia State Defense Force (GSDF).

Mark is a well-known Author and Keynote Speaker. He speaks on a wide range of topics to include; The White House, Politics, Leadership, Mentorship, Motivational, Information Technology, Cyber Security, Global Governance, Risk and Compliance, and many other topics.

Is there really a tech personnel shortage? I don’t think so and come listen to me explain why.

Everyone says there is a technology personnel shortage, but I don’t agree. There are tons of people that want to get into CyberSecurity or Technology. We need to help retired military, college interns, and more into our space and understand we can teach or train those people into what we need. Some of our issues center around old hiring practices and rules given to us by Human Resources and Equal Opportunity rules/laws. Our hiring practices are all about skills, certificates, work history, and not about the person, their personality, and their potential. We also do not teach our hiring managers how to interview people for potential, for what they can learn, or for who they are as a person. We are so worried about being sued for asking different questions to different individuals during our interview process then we are about getting the right person.

Eric is currently the CSO at MedeAnalytics, a leading Cloud Computing company delivering services for the healthcare system (including hospitals, physician practices, and payers). He has extensive experience working in operations and information security for Cloud Computing companies, including taking Salesforce.com through ISO 27001 certification during his 2 year stint as Information Security Director and running operations for two other Cloud Computing companies, Netfile and Grassroots Enterprise. His experience stretches beyond US borders as he spent two years in New Zealand leading the National Information Security and Business Continuity practice for KPMG and then working for NTT/Dimension Data in New Zealand and Singapore where he led the Incident Response and Computer Forensics practice for Asia/Pac. Eric has published articles on Information Security and IT in various magazines including Computerworld, SC Magazine, Inside Homeland Security, and Windows NT Systems, has presented training programs in many countries around the world, and is a regular speaker at industry events in the United States, Asia, and Oceania.

Application Security from open source to SDLC – What’s the CISO play beyond vulnerability assessments and pen testing?

Universities have dropped the ball on secure coding, but that doesn’t mean the CISO should follow suit. The CISO must become sleuth extraordinaire to understand how disparate SaaS and PaaS solutions are integrated into the development process to improve velocity – and then secure those systems, ferret out the open source integrated into applications (including the most devilish of code snippets lacking appropriate attribution or undisclosed copy left licenses) – and then provide attribution and remove the offending licenses, and find the projects at infancy and integrate early with product management to build security in (no more bolt-on security Band-Aids). In this session we will investigate new tooling that will uncover what was previously hidden, integrate process while improving development velocity, inject security earlier into the project (sometimes even invisibly), and still deliver the traditional application vulnerability management and pen testing that is expected by the clients. Quality takes a leap forward and customer/stakeholder relations improve. Is this possible? It sounds too good to be true. Welcome to the next step of partnering with development – security enables warp speed application development…no speed bumps or stop signs (unless you want to remind them, occasionally, who’s in charge).

Sridhar Kocharlakota is the Director of Technology at Energy Insurance Mutual, a Tampa based Insurance company. Sridhar has 25 years of experience in the IT industry serving at different capacities in Telecom, Consulting, Insurance, Government, Mortgage and Banking verticals. As the Director of Technology at Energy Insurance Mutual, Sridhar’s role involves setting a technology vision for the organization and continually improving the technical landscape directly contributing to the success of the organization.

Sridhar is a hands-on technical leader who has led the migration of systems and applications to the Cloud for EIM in 2016. The migration to Cloud was just a start, it opened a great aperture to embrace several opportunities to improve the overall business and technical landscape of EIM.
Sridhar holds a Bachelor’s in Mechanical Engineering from India and has a dual Master’s in Technology Management and Business Administration from Stevens Institute of Technology, New Jersey. He is a certified Project Management Professional and a certified CISO.

In the year 2021, Sridhar was awarded ‘CIO Of The Year’ by Tampa Bay Business Journal.

Richard Young is the Managing Director of RJY Group, LLC. Mr. Young is a retired Marine veteran with more than 35 years of experience in Project Management, Transportation, and Logistics. He spent twenty years of honorable active service in the United States Marine Corps as a Transportation Chief/Officer. He has previously provided support to various Department of Defense (DOD) entities overseeing their Logistics and Asset Management Functions. His current role has him focused on the facilities maintenance of critical assets for multiple entities that include the DOD, Veterans Affairs, the National Oceanic & Atmospheric Administration (NOAA), and has a presence in 18 states plus the District of Columbia.

With his vast experience in government contracts and project management, Mr. Young is in charge of all aspects of daily and corporate operations for RJY Group including but not limited to operational policies and procedures, business and strategic initiatives, business development, project management, scheduling, procurement, quality control, safety, and closeout documentation.

He maintains an excellent reputation with customers and subcontractors to ensure there is clear communication as well as timely and successful completion of every project. His commitment to safety and accountability has earned both RJY Group and Mr. Young a stellar reputation within the industry with clients, subcontractors, and contracted personnel.

His unbending work ethic has allowed RJY Group to excel in facility operations while remaining customer-centric.

Shirley is the CEO and Founder of SeeMetrics. She brings decades of experience working in technology in Israel and across go-to-market strategy and execution, operations, marketing, and scaling startups globally. A strong advocate of equal pay, Shirley won the first-ever equal pay case in the high-tech world in Israel and continues to fight to close the gender gap. She has a B.A in policy and governance from Ben Gurion University and M.A with honors in international security and non-proliferation from King’s College University, London.

Enough with the Horror Board Meeting Preparation! There’s a new and better way

Security organizations are facing challenges and risks on a daily basis. With the complexity of managing so many different tools, it takes immense effort to derive clear consistent insights from them and answer simple everyday questions such as “How is our security program performing?”and “How does it compare to last year? Last Quarter?” It requires the meticulous gathering and inputting of data, the analysis and the synthesizing of information, and the translation of findings so that results from investigations can be meaningful to others in the business. All this distracts the CISO from the most significant element of their job: improving security.

In her presentation titled, “Horror Board Meeting Preparation – Enough with the Old Way. In with the New Way,” SeeMetrics CEO & Founder Shirley Salzman will share stories of global security leaders preparing data for board meetings – including SeeMetrics advisor and former Netflix CISO, Jason Chan; SeeMetrics advisor and cyber expert Sounil Yu; and others. Shirley will describe how they faced the challenge of conveying KPIs and performance measures to senior leadership

Matthew Warner is CTO and Co-Founder of Blumira, a leading cybersecurity provider of automated threat detection and response technology. At Blumira, he leads the security and engineering efforts to provide actionable insights into cybersecurity risks at scale. Matt has over 10 years of experience in IT and development, focusing on business strategy, development, compliance, threat detection and penetration testing. Previously, he was Director of Security Services, Development & Security at NetWorks Group, responsible for defensive information security and services.

Leveling Up Security Maturity From Scratch

For organizations with few — or zero — security measures, building a security strategy may appear daunting. Any CISO that wants to get started should focus on developing security maturity to holistically improve security across the board.

Join Blumira’s Matthew Warner, CTO and Co-Founder, to give you practical, actionable (and nonjudgmental!) advice on how to improve your organization’s security maturity, starting at step one. You’ll learn:

• Basic tools you should invest in to level up beyond the basics and advance to the next stage of your security maturity model
• Security frameworks to help you get started
• How to maximize a limited security budget

Tom Huang is current a team member of the McGann Group, a small security consulting LLC in Raleigh NC. He is a former Customer Engineer for Microsoft specializing in Modern Desktops and cloud security, Security Solution Architect for BB&T (Triust Financial) and U.S. Postal Service (31 years of service).

Tom’s focus is on Endpoint security and cloud security specializing in Windows 10 and Windows 11 and hardening Endpoints. He also has some knowledge in vulnerability assessment and corporate cyber security awareness training policies and techniques.

He graduated summa cum laude with a bachelors’ degree in Information Technology and have been working in the IT realm for over 22 years with the last 10 in Cyber Security.

His Certifications include the CISSP, MCT, MCP and other Microsoft Certifications. Tom and wife Sandra enjoy travel, family time (3 grown children and 6 granddaughters), and Tom enjoys bowling and golf as his hobbies.

Josh Lospinoso is the CEO and Co-Founder of Shift5, an OT cybersecurity company that protects planes, trains and defense systems from cyberattacks and improves functional efficiency by providing operators with visibility into the data that powers their longest-lived assets. Shift5 is the first-ever OT cybersecurity and observability solution that enables operators to make data-informed decisions to improve resiliency and operations of fleets.

Prior to founding Shift5, Josh pioneered red team operations for the U.S. military as one of 40 people hand-selected to set up the U.S. Cyber Command, the nation’s most elite unit of cyber defenders. There, he commanded offensive cyber operations, built nation state-grade hacking tools, and formed close relationships with the likes of Four Star General Paul Nakasone, and CISA Director Jen Easterly.

Josh is also the author of C++ Crash Course (No Starch Press, 2019), dozens of peer-reviewed journal articles spanning multiple disciplines and multiple patents. Josh earned a B.S. in Economics and Operations Research from the United States Military Academy and a Ph.D in Statistics from the University of Oxford, where he was a Rhodes Scholar.

Critical Transportation Infrastructure: The Expanding Cyber Battleground

Train service outages that keep commuters from work. Shipping interruptions that leave store shelves empty. Faulty GPS data that throws planes and ships off course. These are the hazards of cyberattacks targeting critical transportation infrastructure.

Attack tools have advanced and targets have expanded to include cyber-physical assets associated with the supply chain, like cargo systems and transportation hubs. Meanwhile, critical transportation systems and military platforms that have played a key role in the defense of Ukraine, are increasingly in the crosshairs of cyberattacks.

These systems use operational technology (OT) to power their fleets and the most critical and sensitive functions, like engine and transmission controllers; braking systems; power/electrical controls; command and control displays; and weapon system controls. Their infrastructure is built on older technology that was designed for reliability and longevity, not resiliency. They are also connected to outward-facing networks instead of isolated ones, creating a complex convergence of OT and IT environments. Just last year we witnessed the Toronto public transportation agency hit by a ransomware attack that took down several systems used by drivers and commuters alike, impacting the bottom line. We also witnessed a breach take place on the New York Metropolitan Transportation Authority (MTA) systems.Thankfully no one was harmed, but attacks on cyber-physical operations within transportation systems can cause untold disruption to civil society and harm to citizens, as well as shift the balance of power in military conflict and geo-political matters. Never before have these OT systems been so vulnerable.

In this session, Josh Lospinoso, CEO and co-founder of Shift5, will delve into the risks facing critical transportation infrastructure as an emerging cyber battle ground, why securing operational technology that controls the movement of trains and planes is complex, lags behind IT security and has incredibly high stakes if left unsecured– as well as what that means for operators responsible for securing their fleets. He’ll also provide practical recommendations for how governments and industry can best prepare for and defend against threats to critical transportation infrastructure.

Audience members will walk away with greater visibility into the attack environment within transportation infrastructure, as well as solutions and best practices to help this segment of infrastructure from cyberattacks. This includes public-private collaboration to address growing cyber risks by promoting technology advances, alliances, security standard development, training and improved OT cybersecurity education opportunities.

Charles L. (Chuck) McGann, Jr., is an information security professional at CRGT, a government contractor providing IT and Security services to DOD, Army, USPS, VA among other agencies. In his current role, McGann is working to leverage CRGT capabilities among the Federal Civilian agencies as well as review emerging vendors for possible partnerships for increasing agency support needs. His experience is helping solidify the strategic initiatives roadmap for Cyber and Intel Solutions. Chuck is the former Corporate Information Security Officer for the United States Postal Service (USPS).

Nick is the CISO at SAI360 and was formerly CISO at Monster Worldwide, global online employment solution provider. He is a business focused, process-oriented and technical information security senior leader with over 18 years of experience building and leading global information security teams and programs as a critical business enabler across various industries and hosted cloud services. Nick holds a Master of Science in Network Security from Capitol College, and a Bachelor of Science in Business Administration – Operations Management \ Management Information Systems from Salem State College. He also holds C|CISO, CISSP-ISSAP, & CISM credentials.

Mr. Rayle is a Security professional with over 22 years of experience in security leadership, management, consulting and sales support. He has been a member of the Global PCI Council and managed/performed global security consulting in all industries and sectors. He has also provided executive advisory services for various industries and has a wide range of regulatory experience that includes PCI, SOX, FFIEC/FIDC, HIPAA and NERC CIP. Mr. Rayle regularly presents at summits and industry trade shows, and assists in writing industry certification exams.

Mr. Woodson is an IT information security professional with over 20 years’ experience and has a deep understanding of operational and information technology processes , the implementation of cost-effective controls and security safe guards to monitor and mitigate risks. Mr. Woodson has an extensive background in Network and Information Security, Data Privacy, Fraud Management, Technical Investigations, Regulatory Compliance and Policy Development, Litigation Preparedness, Enterprise Governance, Risk Management, Computer Forensics, Law Enforcement Technologies, and Application Security Threats and Countermeasures.

Cam is a cyber defense advisor and information security strategist who has worked for the United Nations, governments and law enforcement agencies, as well as leading multinational corporations. He has collaborated on multi-taskforce investigations and fact-finding missions on a global scale. Cam practices in the area of Risk Advisory in Europe with focus on Information Security, Cyber Governance, Security Intelligence, Adversary Profiling, Active Defense, Vulnerability Identification, Data Protection & Privacy (GDPR, Data Transfers and Controls, LEDP, ePrivacy, Standard Contractual Clauses, Data Protection Act) and Countermeasures to Insider Threats. Cam is also an author and contributor to books and articles on many aspects of cybercrime, data risk and information security, as well as a regular speaker on the subject at international conferences and seminars. He has led commentary on cybersecurity and cyberwarfare in the Financial Times, Forbes Special Reports, The Telegraph, Raconteur Reports, SC Magazine, IDG Connect, CSO Online, Computer Business Review, International Business Times, amongst others.

Case Study – Insider collusion and data exfiltration for sake of love

Client advised of data leakage but would not disclose how it came to know of breach or specify data involved. Case study details complex investigative activities and ultimate findings. Echoing Tina Turner’s “What’s love got to do with it?” this talk will get to the very ‘heart’ of the matter.

Key investigative challenges discussed: – Limited leads from which to build a case – Vast quantity of data to interrogate – High visibility among leadership due to strategic importance of customer – Pressure for expedited response – Language and cultural differences – Data retention issues – Technical literacy among key stakeholders – Large pool of potential suspects – ‘Need-to-know’ principle limiting collaborative efforts – Pressure to manage costs of investigation – Privacy and confidentiality issues – Cross border data flows and multitude of egress points for exfiltration.

Key post mortem takeaways and insights: – Managing complex and highly sensitive global projects with accountability to executive – Maintaining high quality outcomes whilst managing costs, time, and resource utilization efficiently – Managing cross-cultural differences and strategies for enabling bridge-building among interdisciplinary stakeholders from diverse backgrounds.

Joey Jablonski is VP of Analytics at Pythian, he leads strategic engagements assisting customers in developing their data strategy, defining and executing on data governance programs and building analytical models to power the modern data-driven organization. Prior to Pythian, Joey was VP of Product at Manifold, where he brought a product mind-set is part of all engagements—allowing for delivery of value quickly in any project, and building over time to drive adoption of new data-centric capabilities in an organization. Joey led engagements across industries including high tech, pharmaceuticals and for the federal government. Before Manifold, Joey held executive leadership positions at Northwestern Mutual, iHeartMedia and Cloud Technology Partners. He brings 20+ years of experience in software engineering, high performance computing, cyber security, data governance and data engineering.

CISOs’ Next Frontier: Data Governance

CISOs will learn how they can effectively influence data governance programs, how they structure their own organization to be data-centric in their approach and what technology architectures will be needed to support future data governance & consumption needs.

The primary asset for most organizations is their data. Data drives consumer engagement, product development, marketing analytics and future product investment and decisions. This value means data is also the primary risk to an organization – The loss, unauthorized change or exploitation of data can leave an organization with negative reputation or legal consequences.

The need to balance the value of data with risk is bringing new prominence to holistic data governance programs that act as an organization enabler. Holistic data governance programs are where organizations ensure that new regulatory obligations, consumer expectations, product features and data exchanges with third parties are managed to minimize risk and maximize the value exploited from an organizations data. Effective data governance programs work to define policies & enable engineers and product teams through data literacy programs to effectively build systems that create and leverage data.

The role of the CISO and their organization is evolving to become more data centric. They are a powerful voice in data governance programs to ensure alignment between corporate security policies and data creation & consumption needs. An effective CISO will influence policies and architectures for data creation, storage, process and protection. The engaged CISO will work to align their learning and development requirements with that of the holistic data governance programs so that data literacy programs are impactful and enable engineers with the tools & knowledge needed to build modern competitive platforms that exploit the value of data while meeting legal and regulatory obligations and consumer privacy obligations.

As the Chief Information Security Officer at AXA Gulf, Bruno Fonseca oversees the areas of Information Security, Business Continuity & Crisis Management and IT Compliance and Risk, and is responsible for 4 countries (UAE, Oman, Qatar, Bahrain). As a Certified CISO and senior Information Security Professional with more than 19 years of experience in the Security and Operational Resiliency fields, he brings tremendous technical leadership and operational expertise to the company. Prior to joining AXA Gulf, Fonseca worked with some of the largest international Telecom and Insurance Groups, leading his teams towards best-in-class technology practices across all platforms and systems.

Security? There’s an App for that!

We’ve been witnessing a continuous increase in complexity of the security threat landscape for years and kept adding solutions to our Security Stacks in response. Now when we look at the stack, it stands tall like a Skyscraper! When will it end? Is it sustainable to keep adding to the stack? Join Bruno Fonseca on his trials and tribulations trying to manage a Security Stack.

Leeza Garber, Esq. is a cybersecurity and privacy attorney, with deep experience working as in-house counsel at a cybersecurity and digital forensics company. Leeza teaches Internet Law at the University of Pennsylvania’s The Wharton School, and teaches Information Privacy Law at Drexel’s Kline School of Law. She is also an on-air expert for national news. Leeza has been published in The Legal Intelligencer, Law Technology Today, Wired and Newsweek. She is a Bryn Mawr College graduate, received a Certificate in Business and Public Policy from The Wharton School, and earned her J.D. from the University of Pennsylvania Law School.

Joshua Crumbaugh is an engaging and internationally respected cybersecurity subject matter expert, published author, and keynote speaker. During Joshua’s ethical hacking career, he has never encountered a single network that could keep him or his teams out. He has also accomplished many impressive social engineering feats, such as: talking his way into bank vaults, fortune 500 data centers, corporate offices, restricted areas of casinos, and more. His experience in all things security led him to realize something had to change. This realization led him to found PhishFirewall, where he is the Chief Technology Officer. Joshua is one of the world’s most accomplished ethical hackers.