Business: Governance, Risk, & Compliance

The Business: Governance, Risk & Compliance Track is designed for managers and C-Level executives who hold the responsibility of shaping the security practices within their organization. The track focuses on security strategies, risk management techniques, legal issues and security and compliance standards.

B5 – Small Business Privacy and the GDPR: How Did We Get Here?

Chaim Sanders

Over the past year we have seen organizations frantically attempt to prepare for the European Union’s General Data Protection Regulation, or the GDPR, as it’s more commonly known. Large organizations were hiring lawyers, sending out new privacy policies, and positioning their products to market “GDPR compliance”. While these organizations have the budgets to prepare for this large and nebulous piece of legislation, smaller organizations continue to struggle with understanding GDPR and the steps they need to take. In this talk we will investigate the minimum requirements outlined in GDPR and the multinational history of how we ended up with the GDPR.


Chaim Sanders is the Security Lead at ZeroFOX, an organization devoted to social media security. He is also the project lead for the OWASP Core Rule Set (CRS) and a co-lead for OWASP Baltimore. Currently Chaim’s specialization centers around web application security. Chaim frequently shares his research at many conferences nationwide, as well as on various blogs. Prior to his current employer, Chaim has worked for several governmental contractors, security research organizations, universities, and commercial contractors providing security driven consulting and development expertise. Chaim holds a bachelor’s and a master’s degree in information security from the Rochester Institute of Technology (RIT), where he still lectures.

B6 – The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

Michael Melore, CISSP

New methods are required to address threats that are increasing in frequency, sophistication, and impact; all in a climate of increasing cost restraints and shortages of resources and skills. Traditional security controls and response can’t possibly keep pace.

Private and State sponsored dark web actors are well orchestrated, use innovative AI technologies, are able to leverage Digital Currencies; and their R&D produce wares, designed to circumvent traditional security practices, have changed the game. New and innovative security approaches are now required.


Michael Melore is an IBM CyberSecurity Advisor, Certified Information Systems Security Professional, and recognized subject matter expert in Security Intelligence, Data Protection, Identity Access Governance, and Authorization. His unique security perspective is frequently reflected in his published articles. Consulting roles include: Lead architect for many of the largest secured authentication and billion-user authorization infrastructures.

Speaking engagements include passionate discussions correlating blended threats across physical and logical infrastructure boundaries, Cognitive Security, Threat Hunting, Security Intelligence and Response, Identity Access Management and Governance, Defense in Depth, Security Immune System, Cloud Security, and Billion User Identity Crisis.

Conference and Summit venues include IANS, Executive Alliance CXO Summits across US cities, Executive Network CISO Chapter Meetings across US cities, ISACA Pittsburgh Information Security Awareness Day, Nebraska Cyber Security Conference, Evanta CISO Summits across US cities, Montgomery County Community College, South Eastern PA Higher Education Executives Round table.

B7 – Sex, Lies and Mobile Devices: The Seedy Underworld of Mobile [In]security

Daniel Gibson

The smartphone in your pocket has, quite literally, transformed every facet of your life. From commerce and communications, to entertainment and awareness; mobile devices have become our most prized possessions, almost overnight. But along with these amazing advances in technology have come very serious security and privacy risks, many of which go unnoticed, unmanaged or even unknown. The device in your pocket has become the Big Brother we always feared, and the worst part is this – you agreed to it. Join GreyCastle Security as we demystify the security and privacy risks of your smartphone and provide practical tips for dealing with this new phenomena.


Daniel Gibson (CISA, CISSP, MBA, M.S. Cybersecurity) is a Senior Security Specialist at GreyCastle Security. Prior to joining GreyCastle, Daniel served as the Director of Information Security for the Ayco Company (a Goldman Sachs Company), and in IT Advisory Services at Ernst & Young. Additionally, he has held roles managing information technology and security initiatives in various industries; including healthcare, finance and technology marketing.

His 10+ years’ experience in IT and cybersecurity includes extensive experience in risk assessment and management, incident response, HIPAA, ISO 27001/2, NIST 800-53, SOX, GLBA, vendor risk management, contracts, security awareness training, and leading comprehensive enterprise security programs.

B8 – Time Is Not on Your Side – The Legal Risk of Ransomware

F. Paul Greene

A ransomware attack not only poses a security risk, it creates legal risks that can cripple an organization, even if, from a technical perspective, it is able to recover fully. This presentation outlines the legal risk arising from a cyber extortion attack, and provides an actionable outline of how to address legal considerations before, during, and after a you receive that first ransom note. Some of the questions addressed include: Has my organization appropriately planned for this event? Whom do we call first when we first see the ransom note? Are our communications concerning the attack privileged, or can they be used against us? Will our carrier pay for our forensic support, and how about the ransom? and Do we have to report this and when?


Paul Greene is Chair of the Privacy and Data Security Practice Group at Harter Secrest & Emery LLP. He is a seasoned breach coach with deep experience in ransomware and cyber extortion events. Before an event, he aids organizations in conducting appropriate pre-breach planning and incident response drills. During the event, F. Paul oversees all aspects of incident response, helping the organization properly position itself for quick recovery, managing regulatory and litigation risk, and preserving the attorney-client privilege and appropriate incident related documents and artifacts. F. Paul publishes and speaks internationally on cyber-security issues, is an adjunct professor at the Rochester Institute of Technology, teaching Information Security Policy and Law, and is a Distinguished Fellow of the Ponemon Institute.