2024 Annual Meeting Conference

Opening Remarks

Introduction to the conference and discussion of logistics, including CPEs and polling questions.

Bridging the Divide: Technology’s Role in Shaping Policy for a Sustainable Future

Presenter: Dr. Gina Guillaume-Joseph (Eztera Digital Solutions)

Given the dynamic nature of technology and its profound impact on society, the topic will resonate with the audience in Washington DC, considering both the political and technological significance. I’ll explore how technology not only drives innovation but also serves as a critical bridge between diverse sectors, including government, private industry, and the public. I will delve into AI, cybersecurity, and the policies for tech governance.

What are the intersections of Privacy and AI?

Presenter: Deborah Adleman (Adleman Consulting Services LLC)

Every month there seem to be new examples of artificial intelligence (AI) technology such as Generative AI and accompanying privacy regulations. At the same time, the complexity of these privacy requirements is also increasing. There is a heightened clamor for governments, businesses, and individuals to approach AI ethically while not derailing innovation. Amidst this environment, what are the overlaps between Privacy and AI that can help us mitigate risk and govern emerging technologies consistent with our business mission? How do we protect privacy while allowing AI to increase business efficiency and simplify our lives without stifling innovation?

Learn from Deborah Adleman of Adleman Consulting Services LLC who has spent her career as a US and Global Risk and Privacy Leader who will help us tackle these answers and leave us with a roadmap to take back to our organizations.

Morning Break

Navigating the Cybersecurity Frontier: Emerging Threats and Defense Strategies in 2024

Presenter: Sushila Nair (Cybernetic LLC)

This dynamic presentation delves into the evolving landscape of cybersecurity, focusing on emerging technologies, threats, and defense strategies crucial for today’s digital world.

The session begins by exploring the realms of cyberwar and cybercrime. Recent state-sponsored cyberattacks targeting critical infrastructures are highlighted, emphasizing the need for robust national cybersecurity strategies and international cooperation. The rise of sophisticated ransomware, phishing schemes, and AI-enhanced fraudulent activities are examined, drawing insights from recent high-profile incidents. The importance of cybersecurity awareness, advanced threat detection, and response strategies are underscored as vital defensive measures.

Next, the transformative role of Artificial Intelligence (AI) and machine learning in cybersecurity is investigated. These technologies are revolutionizing threat detection and response, though they also introduce risks such as adversarial AI and ethical concerns.

A significant focus is placed on Zero Trust Architecture, a critical shift in cybersecurity paradigms. The principles of zero trust are explained, emphasizing the importance of continuously verifying users, devices, and applications. Practical steps for implementing zero trust within organizations are provided, highlighting the approach’s effectiveness in mitigating modern cyber threats.

Identity security is covered as a cornerstone of effective cybersecurity. Strategies for robust identity and access management (IAM), including multi-factor authentication (MFA) and identity governance, are discussed to reduce attack surfaces and protect sensitive data.

The presentation further explores emerging attack vectors, such as supply chain attacks and zero-day exploits, offering real-world examples and mitigation strategies. Advanced defensive measures, including threat intelligence and sharing, are examined, stressing the value of collaboration and effective threat intelligence platforms.

Concluding with a summary and a Q&A session, this presentation aims to equip attendees with a comprehensive understanding of current cybersecurity challenges and the advanced defenses necessary to counter them.

Lunch Break

Streamlining AI Governance: Tools for Tomorrow’s Challenges

Presenter: Meghan Maneval (RiskOptics)

In an era where artificial intelligence is rapidly transforming industries, the need for proactive and robust AI governance has never been more pressing. In this session, “Streamlining AI Governance: Tools for Tomorrow’s Challenges,” I’ll provide a strategic roadmap for organizations looking to establish a solid governance framework that not only meets today’s requirements but also anticipates future regulatory landscapes. During this session, we will explore the practical steps necessary to lay the foundational groundwork for AI governance. Leveraging a real-world AI use case, the focus will be on equipping your organization with the necessary strategies to establish AI Controls, align with AI Regulations, track AI Risk, and monitor AI in your supply chain.

You’ll learn how to implement a governance structure that adapts to new challenges, ensuring your AI initiatives are both innovative and within regulatory bounds.

Participants will explore:

• Aligning organization controls with AI specific regulations, automating evidence collection, and correcting non-conformities.
• Tracking AI projects and managing the associated assets, threats, vulnerabilities, and risks.
• Monitoring your supply chain’s compliance with AI usage standards and risk reduction activities.

What is going on in the ransomware cybercrime business ecosystem?

Presenter: Dr. Ferhat Dikbiyik (Black Kite)

Ransomware groups now operate like agile tech startups, not traditional crime cartels. They combine advanced tech skills with psychological manipulation and a business mindset. Their sophisticated tactics challenge standard cybersecurity defenses, requiring a new approach to understanding and combating these threats. This session explores their operations and mindset through business and social psychology principles, particularly those by Elliot Aronson.

We’ll discuss why technical defenses aren’t enough. Ransomware groups carefully choose targets based on vulnerability, strategic value, and psychological impact. Despite law enforcement’s progress against groups like Lockbit and Black Cat, these syndicates adapt and evolve, highlighting the need for a dynamic risk assessment model that considers both technical and psychological factors.

We’ll examine how some professionalized ransomware groups use business tactics and moral justifications, posing as pentesters, hacktivists, or reluctant actors. By analyzing their PR moves, apologies, and rationalizations, we’ll gain insights into their behavior. Case studies will reveal their strategies in operations, negotiations, and public relations.

Afternoon Break

Building an Effective Insider Risk Mitigation Program

Presenter: Randall Trzeciak (Security Engineering Institute @ Carnegie Mellon University)

The National Insider Threat Center in the CERT Division of the Software Engineering institute at Carnegie Mellon University has been researching Insider Threats since 2001 and has analyzed over 3500 incidents where insiders have maliciously or non- maliciously harmed organizations. The research has resulted in the development of models describing how these incidents tend to evolve over time, including the identification of both the technical and behavioral potential risk indicators. This presentation will provide a brief overview of the insider incident types; best practices for the mitigation of insider threats; provide an insider threat program development roadmap; and recommend resources for the evaluation of an insider threat program.

Healthcare Under Siege: Decoding Cybersecurity and Privacy Challenges to Navigate the Surge in Ransomware Attacks

Presenters: Tina Curtis (Office of the Attorney General for the District of Columbia) and Ruchi Shewaramani (Washington Health Benefit Exchange)

Topic description to be posted soon

Closing Remarks

Annual General Meeting (AGM) of the Chapter Membership

The member portion of the meeting will be held on a separate zoom and is open to all current chapter members. Members can register for this session on the AGM event page.

Dr. Gina Guillaume-Joseph
Chief Innovation Officer (CIO) @ Eztera Digital Solutions

Gina Guillaume-Joseph, PhD is a published author and technologist with executive experience and thought leadership within the Federal and Commercial Sector.

Gina is the Chief Innovation Officer (CIO) at Eztera Digital Solutions. Gina will leverage her technology implementation experience and vast network to support the Federal Government’s Technology Transformation Strategy. Her accomplishments and successes are based on strong program performance, leadership discipline, a commitment to developing relevant, innovative and adaptive solutions, and a vigilant focus on best value solutions for her clients.

Gina spent 16 years supporting our Federal Government as a contractor with Booz Allen Hamilton, L-3 Communications and The MITRE Corporation. As a Systems Engineer she was responsible for implementing key strategic frameworks, solutions and technology platforms to assist agencies such as the DoD, IRS, FDIC, DHS, VA, and SSA overcome technology gaps in delivering capabilities and value to our United States Taxpayers.

Gina is the former Chief Technology Officer – Government at Workday and former Director of Technology at Capital One. Gina supported the HR and People Technology team as a strategic technical advisor. At Capital One, she matured their Scaled Agile practices by hiring agilists, training the team, and fully implementing the framework to scale resulting in improved product value delivery across the organization. Workday was a key product implemented to Capital One’s more than 43,000 employees.

Deborah Adleman
Adleman Consulting Services LLC
CCEP, SCCE, IDP, GCRP, CIPP/US, CIPM, and FEP

Deborah is a strategy-driven and practical, results oriented leader recognized for enabling future focused enterprise-wide data protection risk management, AI governance and ethics & compliance programs. Deborah’s evolved experience in leadership at a Big Four firm combined with a successful consulting career brings a global, IT engineering, and business process outcomes mindset to data governance, process improvement and teamwork. Deborah was the US & Americas Data Protection Risk Management Leader for Ernst & Young for over a decade and a successful consultant within EY before that. While at EY, Deborah led EY’s US and Americas’ data protection risk, ethics and compliance program strategy and implementation across 50,000 employees while collaborating with other EY global leaders. Deborah was accountable for assessing, implementing, and monitoring the effectiveness of the enterprise data protection program and its maturity. Deborah accomplished this by fusing ethical and responsible data protection leading practices into the core business processes and then establishing accountability grounded in metrics. Since leaving EY, Deborah has started her own single person consultancy serving a wide range of companies, continuing her tradition of helping companies leverage risk to empower their teams to perform accountably, with integrity in the midst of uncertainty.

Deborah has her Bachelor of Arts from the University of Pennsylvania, and has various governance, ethics and privacy certifications including the Certified Compliance and Ethics Professional (CCEP) through the Society for Corporate Compliance and Ethics (SCCE), the Integrated Data Privacy (IDP) and the Governance, Risk & Compliance Professional (GCRP) from the Open Compliance and Ethics Group (OCEG), and the CIPP/US, CIPM and FEP through the IAPP.

Deborah is the author of “How to Operationalize Privacy and Data Governance for AI” (InformationWeek), and “A Data Privacy Compliance Program Primer” (SCCE) and is a regularly sought after speaker who recently provided subject matter expertise for the IAPP’s new Artificial Intelligence Governance Professional (AIGP) certification.

Sushila Nair
Vice President, Head of Cybersecurity Services, CEO @ Cybernetic LLC
CISSP, GIAC GSTRT, CISA, CISM, CRISC, CDPSE, CCSK, CCAK

Sushila Nair is the CEO of Cybernetic LLC and former Vice President of Capgemini’s North American Cybersecurity practice. Sushila Nair is a pivotal figure in driving secure digital transformation globally. With over 30 years of experience spanning computing infrastructure, business, and security risk analysis, Sushila has carved a niche in the cybersecurity domain. Her journey includes a decade-long leadership of her own IT and Cybersecurity company across major UK cities and serving as a Chief Information Security Officer (CISO), where she mastered the art of safeguarding against evolving digital threats.

An esteemed thought leader, Sushila’s insights have graced global platforms like RSA and ISACA’s conferences. Her role in the ISACA global emerging trends working group and as Vice President of ISACA’s Greater Washington, D.C. Chapter showcases her commitment to advancing the field. Her efforts, especially in championing the next generation of cybersecurity talent and promoting diversity, earned her the prestigious ISACA Technology for Humanity Award in 2024.

Meghan Maneval
Vice President of Product Strategy and Evangelism @ RiskOptics
CISM, CRISC

Meghan Maneval is a distinguished figure in the cybersecurity and governance, risk management, and compliance (GRC) sectors, renowned for her innovative approach and commitment to enhancing diversity in the tech industry. With nearly 20 years of experience, she has consistently demonstrated her ability to simplify the complexities of cybersecurity for organizations around the world.

As the Vice President of Product Strategy and Evangelism at RiskOptics, Maneval leverages her unique insights to drive significant advancements in GRC tools. Her direct involvement in the development of RiskOptics ROAR, a trailblazing GRC solution that automates risk management and compliance, underscores her role as a key innovator in the industry.

Maneval’s influence extends beyond RiskOptics- advocating for risk-centric strategies that adapt to the evolving landscape of cybersecurity. Her pioneering work in AI governance, including the design of a continuous monitoring process and the development of an AI Governance course for ISACA, showcases her dedication to responsible and secure AI usage. These achievements awarded her the SC Media Women in Cybersecurity Award.

Beyond her technical achievements, Maneval is passionate about fostering an inclusive work environment. She founded the Women in Leadership Program at RiskOptics, aiming to empower female employees and equip them with the skills necessary for leadership roles. Her efforts reflect a deep commitment to breaking down barriers and creating opportunities for women in technology.

Additionally, Maneval is an active mentor, particularly within the Girl Scouts, where she inspires young women to pursue careers in STEM. Her involvement with the Cyber Guild’s Diverse Minds Movement and her doctoral research on the impact of AI on neuroinclusion further illustrate her commitment to building a more diverse and inclusive tech community.

Meghan Maneval’s comprehensive contributions to cybersecurity, her innovative solutions, and her dedication to mentorship and diversity mark her as a transformative leader in the field.

Dr. Ferhat Dikbiyik
Chief Research & Intelligence Officer @ Black Kite

Dr. Ferhat Dikbiyik, as the Chief Research & Intelligence Officer, stands at the vanguard of redefining cybersecurity’s frontiers, particularly in the realm of ransomware. Under his leadership, his team delves into the sophisticated world of cyber threats, blending cutting-edge data analysis and machine learning to elevate the Black Kite platform’s capabilities. His unique approach uncovers not just the how of ransomware operations but the why, illuminating the psychological underpinnings and business-like efficiency of these cybercriminals.

With a storied 15-year journey traversing from academia to the pulsating heart of startup innovation, Dr. Dikbiyik’s transition shines a light on his versatility. Holding a Ph.D. in Electrical and Computer Engineering from the University of California, Davis, he initially focused on enhancing the resilience of telecom networks against disasters. This foundation set the stage for his later work, where he explores the nexus between technology, psychology, and strategy within the cyber risk domain.

Dr. Dikbiyik has contributed to national and international projects on disaster risk, including cyber risk. His prolific output, featuring over 40 scientific papers with more than 1,000 citations, evidences his significant impact on the field. He is a co-inventor of two patents granted on cyber risk assessment, one related to ransomware susceptibility measurement.

In recent years, Dr. Dikbiyik has become a sought-after voice on the global stage, elucidating the complexities of cyber risk management and the intricacies of ransomware groups. His work—bridging the gap between academic research and practical, startup-driven solutions—resonates with a broad spectrum of cybersecurity professionals and businesses alike.

Randall Trzeciak
Director of The Insider Threat Center at CERT
Adjunct Faculty, MSISPM Program Director @ Software Engineering Institute @ Carnegie Mellon University

Randy Trzeciak currently holds a dual appointment between Heinz College and the CERT Program of the Software Engineering Institute at Carnegie Mellon University. In support of the Heinz College, Randy occupies the role of Director of the Master of Science Information Security Policy & Management (MSISPM) Program as well as an adjunct professor for the graduate School of Information Systems and Management.

In support of the Software Engineering Institute, Randy is the Technical Manager of CERT’s Enterprise Threat and Vulnerability Management Team and the CERT Insider Threat Center. The team’s mission is to assist organizations in improving their security posture and incident response capability by researching technical threat areas; developing and conducting information security assessments; and providing information, solutions and training for preventing, detecting, and responding to illicit activity. Team members are domain experts in insider threat and incident response. Team capabilities include threat analysis and modeling; building and evaluating insider threat programs; development of insider threat controls, workshops, and exercises.

Prior to his current role in the CERT Program, Mr. Trzeciak managed the Management Information Systems (MIS) team in the Information Technology Department at the SEI. Under his direction, the MIS team developed and supported numerous mission-critical, large-scale, relational database management systems.

Prior to his time working at the SEI, Mr. Trzeciak was a software engineer for the Information Technology Development Center of the Carnegie Mellon Research Institute (CMRI), responsible for a variety of information networking projects. These projects included the design and development of large-scale databases and Internet-based systems that adhered to data privacy and security requirements; the design and implementation of multi-organizational portals for preparation and response to weapons of mass destruction; and collaboration among public health department epidemiologists.

Prior to his career at Carnegie Mellon, Mr. Trzeciak worked for Software Technology, Incorporated (STI) in Alexandria, Virginia. For nine years, Mr. Trzeciak was a consultant to the Naval Research Laboratory (NRL) working on numerous projects designing, building, and supporting large-scale relational database management systems. During his employment with STI, Mr. Trzeciak also filled the role of Information Systems Business Manager.

Tina Curtis
Assistant Attorney General, District-wide Privacy and Security Official/ Director of the Office of Privacy and Confidentiality @ Office of the Attorney General for the District of Columbia
CIPP, CCSA

Tina Curtis serves as Assistant Attorney General, and District-wide Privacy and Security Official/ Director of the Office of Privacy and Confidentiality, within the Office of the Attorney General for the District of Columbia. With a focus on health and human services data, she leads the government’s corporate compliance efforts for 20 agencies, spanning Human Services, Public Safety and Education clusters. She also provides ad hoc advice across all governmental business types. This includes overseeing privacy and security matters involving the operation of agency offices, data sharing design, policy development, audits, contracts oversight, policy development, technology reviews and training.

She also serves as Secretary for the Institute of Electrical and Electronics Engineers’ (IEEE) Privacy PAR Working Group. The PAR is completing the development of a global privacy standard for consumer mobile devices.

Her background also includes serving as Assistant General Counsel for the DC Department of Insurance Securities and Banking, and as the Chair of the Minority Business Opportunities Commission for Prince George’s County, Maryland.

Ms. Curtis is a graduate of the University of Maryland, College Park and the Howard University School of Law. She holds Certified Information Privacy Professional (CIPP) and Certified Cyber Security Architect (CCSA) certifications.

Ruchi Shewaramani
Chief Information Security Officer @ Washington Health Benefit Exchange

Ruchi Shewaramani is a cyber security executive with 18+ years of experience in Information Technology Security, Identity and Access Management (IAM), Governance, Risk and Compliance (GRC) across healthcare, education and financial sector. She is currently serving as the Chief Information Security Officer for Washington Health Benefit Exchange and as a Board member for ISACA Greater Washington DC Chapter.

In the last decade, she has led the security program for various healthcare agencies in District of Columbia (DC) prior to joining Washington state exchange. She specializes in establishing and transforming cyber security program for healthcare agencies to attain compliance with state and federal partners, safeguard customer data and build digital trust for the citizens served.