Business: Adapting to Change

The “Business: Adapting to Change” Track allows business and IT leaders to explore the impact of current and emerging security issues and learn how other thought leaders are protecting their organizations. Designed for business professionals and organizational leaders, this track features management topics that are vital to understanding how security principles apply to business objectives, technology projects, threat trends and business continuity.

A1 – Cybersecurity Training for the Enterprise

Dennis M. Allen

Much as physical safety in the workplace must be everyone’s responsibility, so must good cyber safety become habit for everyone throughout an organization. Annual data record losses are now in the billions. Breaches and incidents result from stolen credentials, phishing, privilege abuse, malware, and numerous other methods. Protecting “the business” requires much more than simple, annual computer-based training done in order to check a compliance box. Indeed, everyone throughout the enterprise does require baseline training to support best practices; but also require a specialized plan to help them truly understand how their actions impact the success of the organization.


Dennis Allen is the Education & Training Technical Manager for the Software Engineering Institute’s CERT Cyber Workforce Development directorate, which has implemented several cutting edge training solutions for the DoD and Federal government. He received his B.S. degree in Computer Science from St. John Fisher College, and his M.S. in Information Assurance from Norwich University. Dennis has been with the Software Engineering Institute for 12 years and has more than 25 years of information technology and security experience with fortune 500 companies, government and military organizations, and many small businesses. He has delivered numerous professional training classes, presented at industry conferences, and taught both undergraduate and graduate-level courses. Dennis is continuously looking for innovative ways to improve education, training, and assessment for the next generation cyber warriors.

A2 – Implementing MFA (Massively Favored Authentication) at RIT

Laura O’Donnell, Clay Cooper

How do you implement Multi-Factor Authentication (MFA) for over 25,000 users, in 5 countries, using both university and personal devices, with a population ranging from computer security students through retirees, without having your support desk hate you?

In this presentation, we will discuss Rochester Institute of Technology’s implementation of MFA. We will discuss the roadmap, starting with the requirements, product selection, rollout, and ongoing support of MFA. This presentation will include the challenges, lessons learned, and success stories.

We look forward to explaining this implementation and discussing what lies ahead for RIT and MFA.


Laura O’Donnell is a Senior Project Manager who works at Rochester Institute of Technology where she is known as the project manager that takes on the “quirky” projects. She manages IT security, audit remediation and the compliance programs.

Projects she has enjoyed the most include: The implementation of multi-factor authentication, anti-virus software, RACF, and P2PE with PCI Compliant software/hardware. She has developed processes to locate and remediate sensitive data, managed business continuity projects, vendor relationships, and has implemented an Institute print management project. Laura has been fortunate to work with and learn from the incredible RIT staff and students. They are never boring and she is amazed by their talent and fortitude.

She holds a master’s degree in service innovation, a bachelor’s degree in business administration and a certificate in Project Management from RIT.

Clay Cooper is part of the team responsible for identity management at the Rochester Institute of Technology where he supports authentication-related services: LDAP, SAML, and Kerberos. He also provides security, authentication, and authorization consulting on departmental and university-wide projects and most recently he has been the technical lead for RIT’s campus-wide MFA implementation.

Clay’s primary motivators are to reduce the number of passwords people have to forget and reduce the number of times users are prompted for credentials while not compromising the security of sensitive data.

In addition to holding a BA in Computer Science from SUNY Geneseo, Clay is also a Red Hat Certified Engineer, amateur radio technician, and a licensed boater in New York state.

A3 – Making Sense of Multi Factor Authentication

John D. Flory III, Jeff Miller

Everyone should be doing multi-factor authentication. We all know this, so why, for example, are less than 10% of Gmail users not implementing it? It comes down to education. What problem is MFA solving? Using the answer as a springboard, we’ll discuss the impetus behind MFA, the different on-prem and cloud options, pricing models, best practices, and implementation “gotchas”.


John D. Flory III, recognized cyber security expert, will be sharing his insight and experience in the realm of physical, social and cybersecurity concepts. During John’s 22 year tenure in the security field he has spoken at numerous conferences including keynoting at the Symantec Global conference, New York State School Boards Association, New York Bankers conference, Entrepreneur Organizations, New York State Department of Homeland Security forum and several other diverse venues. John’s hands on security experience dealing with real time cybersecurity attacks and remediation make him a valuable resource for an organization’s cyber preparation process. John’s leading edge approach has allowed him to help create human firewalls as one of the key pillars of defense.

Jeff Miller is a unique blend of engineer, teacher, and evangelist of all things cybersecurity. His roots in cybersecurity stem from his engineering degree and tenure at the nation’s second largest law firm; where he regularly defended against ransomware, the hacktivist group Anonymous, distributed denial of service attacks, and various other threats. Jeff spends much of his time educating organizations on how to adhere to both security regulations and best practices around cybersecurity. Jeff lives, breathes, and bleeds cybersecurity. It’s not just what he does; it’s who he is.

A4 – The Evolution of Segmentation: How Network Segmentation and Micro-Segmentation Aid in Threat Isolation and a Secure Posture

Matt Ostrowski

Segmentation is a way to isolate devices and applications of similar type, function or requirements. Essentially, this sets the groundwork for a more secure and manageable environment. By grouping like systems together you are better able to isolate them, restrict access to them, and in the case of a breach, limit the impact. With an ever-increasing attack service, segmentation isolates critical, managed infrastructure from other more vulnerable devices. In addition, by taking it further into the data center, we can monitor east west traffic and prevent unauthorized lateral movement. In this session, learn how to plan, implement and manage a segmentation strategy.


Matt Ostrowski, with 15 years of industry experience, focuses on building out IT infrastructures for a wide range of environments using a vast array of products and tools. Matt prides himself on evaluating the entire ecosystem to make suggestions that will ensure a secure and stable IT environment. When not designing networks, Matt enjoys riding his motorcycle both on the road and track.

A5 – Integrating Third Party Scoring Services into Your Enterprise KPIs

Joe Corsi, Tony Karakashian

As scoring services such as SecurityScorecard and BitSight continue to gain in popularity with clients and vendors, Paychex Inc. has taken steps to accept and socialize these scores internally and to incorporate these metrics into their current set of key performance indicators. With the inclusion of an “outside” scoring entity into their current portfolio of security metrics comes a myriad of challenges, as relates to socializing scores to key decisions makers, convincing development and operations resources of the validity of the scoring, and developing internal process improvements to ensure the SDLC remains uninterrupted, when critical findings may be found mid-delivery cycle.


Joe Corsi is currently serving as a Senior Security Manager for Paychex Inc.; a Payroll, Human Resource and Employee Benefits service provider. He is currently responsible for teams dedicated to Security Engineering and Architecture, Vulnerability Assessment and Management, Risk, Compliance and IT Audit, Security Projects, Metrics, and Reporting.

Joe has a bachelor’s degree in computer science from St. Bonaventure University and has a master’s of business administration degree (MBA) from the University of Rochester’s Simon School of Business.

Prior to joining Paychex in 2012, Joe served in the US Army as both an Infantry and a Military Intelligence Officer with a focus in Signal/Cyber operations.

Tony Karakashian is a mild-mannered father and the licensee for TEDxRochester, by day, and seasoned information technology professional, by night. Driven by a desire for peak operational efficiency, he has, in his 20+ years in the field, left a wake of astonished managers, satisfied customers and admiring colleagues behind him. In his spare time, he likes wreaking change on the unsuspecting city of Rochester as well as writing about himself in the third person.

Specialties: Windows 2003/2008, Active Directory, Citrix Xenapp Server, VMWare ESX Server, Visual Basic & VBScript, Linux

A6 – Bug Bounty at my Org? It’s More Likely Than You Think

Ashley Rider, Andrew Durgin

In the age of crowdsourcing, the gig-economy and what seems like daily breach disclosures, Bug Bounty programs offer an attractive supplement to your security program; allowing researchers world-wide to assess your virtual assets and be rewarded for their findings. However, many organizations are rightfully hesitant to allow strangers to hack their systems and to then trust them to securely disclose the findings. You may wonder if a Bug Bounty program is right for your organization and whether it can be as valuable as vendors may lead you to believe. The speakers will address these concerns by sharing real-world experience from two large financial organizations who strategically adapted their security programs to utilize Bug Bounty.


Ashley Rider has worked at Paychex, Inc since graduating from college in 2005 and has 14 years’ experience across multiple disciplines within Information Security, including Security Identity Management, Security Engineering, and Vulnerability Assessment and Management. She is currently responsible for managing the Security Assessment team. Ashley graduated from the Rochester Institute of Technology with a bachelor’s degree in Information Technology. Ashley works to build strong cross-functional partnerships and to continuously improve security across the entire organization, all within a complex and continuously changing threat landscape.

Andrew Durgin joined the USAA Information Security team in December 2017, to focus on Web Application security. Prior to this, Andrew worked for over a decade at Paychex, Inc., serving in various roles in Information Security, including Security Engineering, Security Assessment, and Security Operations Management. Andrew graduated from Rochester Institute of Technology in 2005 with a bachelor’s degree in information technology. Andrew finds satisfaction in providing realistic solutions that enable the organization, while at the same time strengthening their security posture.

A7 – Be a Hero with DMARC: Save Your Customers and Partners from Internet Villains!

Stephen Mitchell

HealthNow New York, Inc. adopted aDomain-based Message Authentication, Reporting and Conformance(DMARC) reject posture in September 2017, for all but one of their domains; and it only took five months! No problems!

But according to the November 2017 Agari DMARC report, DMARC adoption is still low. Why? We think it’s because DMARC is not an alluring topic at the top of everyone’s task list and there’s no easily digestible content available to help those looking to start down the path to DMARC reject.

In this presentation we’d like to share the options they have for implementing DMARC, and the strategy and tactics we all can use to become DMARC heroes.


Stephen Mitchell is a Senior Information Security Analyst at BlueCross BlueShield of Western New York. He loves helping people defend their enterprise’s data, streamlining business processes, and improving integrations between information risk controls. He has spent the majority of his career in the corporate information security field gaining experiences in cyber threat intelligence and incident response, easy administration of systems, and telling people why email is the worst thing ever. While delivering sustainable security solutions is his primary, every day job function, Stephen also enjoys sharing his knowledge with others and building long lasting relationships with his peers through the healing power of karaoke.