Risk Management and Governance

A Cybersecurity Management Operating System (MOS)

Presenter: Allan Alford (Allan Alford Consulting)

Cybersecurity Working with the C-Suite and the Tech Leadership to Bring About Results

Presenter: Scott Rubin (KPMG)

In any business or government agency, the leaders seek to achieve their mission objectives and not get caught up in technical details. Threats from malicious cyber actors and sometimes careless employees can disable or destroy entire electronic information and SCADA systems. While the inclination to learn more about cyber-based threats and environmental losses to availability are at perhaps an all-time high in C-Suites and with Federal Government agency directors, there is precious little time to waste in enabling smart and useful cybersecurity programs in our workplaces. We can help these leaders by being the bridge between the technical underpinnings that support their mission objectives, and the technical workforces that spend their time enabling and defending those systems. This topic is for managers and executives that find themselves either too technical or too aligned with the business operations to make all of the necessary connections that lead to effective cybersecurity outcomes.

Data Governance and IT Governance

Presenter: David Cole

Knowing your data and how it resides in IT systems assists in developing governance and monitoring of data.

How Security Teams Are Failing to Protect Users from 3rd Party Tracking and How to Stop It

Presenter: Mike Landeck (NTT Data)

While there is significant time and investments made by the CISO and Privacy offices to assure that user data is not leaked from the network, users’ data- often their most sensitive- is being leaked to third-parties by the myriad of analytics tools that are added to web applications even after they have passed their security testing and privacy impact assessments, thus creating a blind spot for those who are actually responsible for security and privacy.

This talk will provide information to privacy and security professionals on how to identify third-party tracking code that has been added to their applications, how to assess the severity of the issue, and how to articulate the problem to their leadership.

Cloud Computing System Implementations: Risk & Governance Audit Considerations

Presenter: John Heath (KPMG)

Organizations are increasingly moving financial systems to cloud environments, which raises potential risk and governance concerns, particularly with respect to financial statement audits. During this session the speaker will provide a brief overview of cloud computing followed by risk considerations with respect to cloud migrations addressing areas of project governance, user security, data migration, and control integration.

Allan Alford
President & CISO, Allan Alford Consulting

With twenty+ years in information security, Allan has served as CISO five times in five industries, with a strong history in technology, manufacturing, telecommunications, litigation, education, cybersecurity and more – at companies ranging from 5 to 50,000 employees.

Allan parlayed an IT career into a product security career and then ultimately fused the two disciplines. This unique background means that Allan approaches the CISO role with a highly business-aligned focus and an understanding of an organization’s greater goals, drivers, methods, and practices. Allan seeks at all turns to positively impact the top and bottom lines.

Allan holds a Master of Information Systems & Security and a Bachelor of Liberal Arts with a focus on Leadership.

Allan gives back to the security community via The Cyber Ranch Podcast, by authoring articles, speaking at conferences and teaching.

Scott Rubin
Director, FED CIO Advisory @ KMPG

Scott Rubin is a Director at KPMG where he leads consulting programs that span the systems engineering spectrum from specific operational capabilities to the enterprise. Scott’s professional career began in the United States Air Force working with electronic cryptographic communication systems. After his military service, Scott would serve on the staff at the Defense Advanced Research Projects Agency (DARPA) as their inaugural Chief of Information Security, where he was responsible for the Agency’s operational cyber mission. His career progression spans from working inside of discreet-component TTL and CMOS systems up to designing and deploying large-scale interconnected information system environments in the cloud.

Scott is also an Adjunct Lecturer in Georgetown University’s School of Continuing Studies, teaching graduate courses in Cybersecurity Risk Management and the Applied Intelligence program. Before Scott came to Georgetown, he was an Adjunct Professor/Lecturer at George Washington University in the graduate Cybersecurity Policy and Compliance track.

Scott provides instruction across the Cybersecurity and Intelligence landscapes, from policy and management concepts and practices as well as the complex technical aspects that exist in networked systems. Scott’s instructional coursework experience includes:

• • Auditing, Monitoring, and Intrusion Detection for Information Security Managers
  • Management of Information and Systems Security
  • Managing the Protection of Information Assets and Systems
  • Cybercrime for Information Security Managers
  • Advanced Analytic Techniques in Intelligence
  • Cybersecurity Governance Frameworks

Scott brings over 30 years of professional experience into the classroom environment, from the leading edges of the Department of Defense, to federally funded research and development programs in the Intelligence Community, and across the commercial consulting industry. Scott ties in real-world examples and modern technical and managerial challenges to broaden the course experience.

When Scott is outside of the classroom or not consulting with clients, he is an active father to his kids Cassandra, Oliver, and Miriam, and doing all he can to keep up with his wife of twenty years, Brigitta. A graduate from George Washington University with a Master of Engineering in Cybersecurity Policy and Compliance, Scott keeps active in hobbies that helped launch his career, including the restoration of classic arcade pinball machine and video games.

David Cole
Owner @ SysAudits.com
CPA, CISA, CRISC

Mr. Cole has an extensive and diverse leadership and management experience covering IT security, cyber assessments, regulatory assessments, IT audits, and IT operations support. Mr. Cole is currently the owner of SysAudits.com.

Mr. Cole held numerous Director of IS Audit positions at:

• U.S. House of Representatives Office of Inspector General
• Department of Education, Office of Inspector General
• Smithsonian Office of Inspector General

Leadership included:

• Regulatory assessments (ITAR, FISMA, and HIPPA) of company and government IT operations, contract compliance, outsourced data centers, and IAAS, PAAS, and SAAS cloud operations
• Drafted national cybersecurity policy for the National Industrial Security Program (NISP) under the Director of National Intelligence
• C-Suite presentations and Congressional testimony
• Technical testing and training – pentesting, disaster recovery, and others
• Forensic and technical support to Federal Agent cybercrimes investigations

Mr. Cole held numerous IT Operations positions:

• Chief Information Officer, Defense Security Service (DSS): Executive leadership and management oversight for all IT operations to include multiple datacenters, systems engineering, application development, cybersecurity, IT policy, budget and resource planning. Responsible for a $100 million+ annual IT budget and 150+ technical staff supporting 70+ locations.
• Director Designated Approving Authority, DSS – CISO for cleared industry with responsibility for certification and accreditation under the NISP of 40,000+ information systems at 14,000+ locations.

Mike Landeck
Director of Security Consulting @ NTT Data

Mike Landeck led the security implementation and then operationalized two of the Country’s largest cloud-based healthcare IT projects. Mike has been responsible for the overall security of systems with financial transactions of over $4 billion per month, as well security programs regulated by HIPAA, SOX, PCI, FISMA (NIST 800-53) the IRS and FedRAMP.

Mike is a frequent conference speaker and workshop presenter focusing on such topics as software security testing and security program management.

John Heath
Director, Audit, Technology Assurance @ KPMG LLP

John Heath is an IT director in KPMG’s Federal practice and has more than 17 years of experience providing audit and advisory services to the Federal Government, commercial organizations, and not-for-profit organizations. His career has mainly focused on IT support for financial statement audits and system and organization control (SOC) examinations.