The Business Track is designed to help business and IT leaders understand current and emerging security issues, how they impact our organizations and how other security thought leaders are protecting their organizations. This track features management topics that are vital for business professionals and organizational leaders to understand how security principles apply to business objectives, technology projects, threat trends, and business continuity.

B1 – Bulls(***) on Parade: Security Theater Academy Awards

Reg Harnish

There’s no shortage of bad cybersecurity advice out there. Most businesses get their security priorities from television, and it’s a sold out show for “Security Theater 2016”. As if it wasn’t hard enough fighting through the endless fog of headlines, white papers and newsletters, even your so-called allies aren’t doing you many favors. Cyber liability carriers, regulators and security vendors all have one thing in common – they’ve all got [crappy] opinions.

So what is any good cybersecurity professional to do? Celebrate! Join GreyCastle Security as we explore some of the most opportunistic, short-sighted, mindless guidance foisted upon us by mainstream media, the US Government and your boss, and truly recognize those parties who have had the greatest possible negative impact on our security! It’s the first annual Security Theater Academy Awards, and you’re invited!


Reg Harnish is an entrepreneur, speaker, author and the CEO for GreyCastle Security, a leading cybersecurity consulting firm headquartered in Troy, NY. Reg has been practicing security for nearly two decades, specializing in security solutions for healthcare, higher education, critical infrastructure and other industries. Reg brings a thought-provoking perspective to the industry and strives to promote awareness, security “thinking” and practical application of security fundamentals.

As the CEO for GreyCastle Security, Reg is responsible for defining and executing the company’s vision. Reg has led the organization to four consecutive years of triple-digit growth while establishing GreyCastle Security as a highly-respected thought leader. GreyCastle Security is currently working with organizations in nearly every state in the US, including Fortune 5000 and Global 100 organizations.

Reg attended Rensselaer Polytechnic Institute, and has achieved numerous security and industry certifications, including CISSP, CISM, CISA and ITIL. Reg has achieved various physical security certifications, including firearms instruction and personal protection. Reg is a graduate of the FBI Citizens Academy. Reg is a fellow of the National Cybersecurity Institute, a cybersecurity educational institution located in Washington, D.C. Reg serves on numerous security association boards and is currently an advisor to several educational institutions focused on cybersecurity.

B2 – Securing Mobile Devices and the Enterprise Endpoint

Daniel Colonnese

Most organizations struggle to inventory and secure their hardware and software assets. Managing Domain-attached Windows, Macbook and iOS, Linux and Android, as well as the BYOD and business partners, all include challenges. This presentation will discuss common approaches to improving security, such as; laptop policies, license management, patching schedules, as well as common patching and config automation, which must also enhance IT productivity.


Daniel Colonnese joined Lighthouse Computer Services, Inc. in February, 2010. Daniel has 10 years of experience in the software industry, and has built software for IBM and the US Dept of Energy. He holds a Master’s of Science in Computer Science and has received 2 US patents related to web services for bioinformatics. Mr. Colonnese has provided solutions for insurance claims and billing systems, including insurance web portals, banking loan origination systems, banking cash management systems, government case managements systems, financial market data delivery, and algorithmic trading systems.

B3 – The Ever Changing Security Landscape

Jonathan Borgesen

With the ever changing threat landscape, the number of successful attacks is growing exponentially every day. It is a constant challenge for security manufacturers to stay ahead of the curve and provide security solutions for the new generations of threats. Because of these manufacturers efforts, there is a near constant flow of new technologies entering the market on an almost daily basis. However, there seems to be a delay by the users themselves to adopt these technologies. This delay ultimately leaves organizations exposed and vulnerable to the unknown threats of the future.


Jonathan Borgesen has been employed with Brite Computers for five years, with a focus in Security. Jonathan has vast experience with not only the onslaught of Cyber Threats but also with the cutting edge technologies that can help protect against the ever changing threats.

B4 – Stop Reading about The Internet of Things and Start Doing Something About It

Andrew Phillips

The Internet of Things (IoT) is a 600 billion dollar industry worldwide and the industry is likely impacting the integrity of your network. In a world where technology is built for convenience, IoT devices may be creating major internal security flaws for your organization. In my presentation, I’ll be taking on the task of defining an IoT device, exploring the risks associated with IoT device, providing a four step strategy for organizations to reducing their current IoT Risk as well as provide a few long term strategic goals to secure their network from IoT devices as they emerge.


Andrew Phillips is a recent college graduate from the Rochester Institute of Technology. Andrew is currently working at The Bonadio Group as a member of the Enterprise Risk Management Division and sits on the Technology Assurance Committee for NYSSCPA. Andrew has a particularly strong interest in Information Security and specifically the security of Internet of Things (IoT) devices. He has two articles pending review for publication; the first article concerns Ransomware in the Healthcare Industry and the other Attack Vector Analysis of the Internet of Things.

B5 – Beyond the Checkbox: Building an Information Security Culture

Charles Profitt

Information Security must be woven into the fabric of an organization. It must be a part of internal values and priorities and not just an item to be checked off to reach compliance.


Charles Profitt is an information technology professional with more than 20 years of experience. He is a forward-thinking information technology leader and outgoing speaker. Profitt works with clients to develop and execute technology strategy in industries ranging from interior design to museum management. He understands that the fast moving pace of change and complexity is a challenge when implementing technology solutions.

His passion for technology and innovation extends to his volunteer work with the Perinton Historical Society and The Boy Scouts of America. Charles was awarded the District Award of Merit in 2015 for his work with Towpath District of the Seneca Waterways Council. Profitt has designed the logo for the Rochester Security Summit as well as serving and having served on its planning committee, sponsorship committee and as a track chair.

B6 – Backups: An IT Person’s Life Insurance

John D. Flory & Jeff Miller

An interactive presentation about the value of staying current with backup technology. This presentation will discuss best practices when using backups as well as the consequences of not having a backup policy in place. You will learn the importance of including backup and disaster recovery in your IT budget and common pitfalls in backup and disaster recovery policies.


John D. Flory III, renowned cyber security expert, will be sharing his insight and experience in the realm of physical, social and cyber security concepts. During John’s 22 year tenure in the security field he has spoken at numerous conferences, including key notes at the Symantec Global conference, New York State School Boards Association, New York Bankers conference, Entrepreneur Organizations and several other diverse venues. John’s hands on security experience dealing with real time cyber security attacks and remediation offers a valuable resource to an organization’s’ cyber preparation. John’s leading edge approach has allowed him to help create human firewalls as a key pillar of defense.

Jeff Miller is an engineer at TAG Solutions with a focus on information security. Before TAG, he worked as an information security engineer for the NYS Attorney General’s and ran his own consulting business. Jeff has defended against the infamous hacker group Anonymous as well as the all-too-well-known CryptoLocker Trojan. He has proactively set up, monitored, and maintain layered security defenses to protect organization’s information assets.

B7 – Survive the Trenches of Zero-day Exploits

Vic Chung

The end-goal of most proactive security defense mechanisms is to avoid zero-day exploits. Yet, are we prepared to deal with our worst-fear when it occurs? I will share my experience in the trenches of managing zero-day exploits and provide insight into the recurring pattern I’ve observed while detecting, protecting, and reacting against exploits. I will discuss the good, as well as the bad, from my lessons learned.


Vic Chung is a Product Security Architect with SAP Global Security. Vic is responsible for case-management of vulnerabilities reported by hackers and is the lead in Americas. Prior to joining the security team, Vic managed intellectual property compliance for development teams globally and has deep expertise in technical program management. Vic has a Master’s degree in Information Systems from University of Toronto, Canada and a MBA in Technology Management from Open University Business School, UK. When not working with hackers or customers, you will find Vic snowboarding on the mountains along the Canadian west-coast.

B8 – Pandora’s Box Also Contained Hope​

David C. Frier

Why strong encryption and other state-of-the-art security tools will always be widely available to the public and how law enforcement might learn to love that fact.


David Frier has been an IT professional since 1978 and an Infosec professional since 2005. He has worked on every kind of system from OS ​internals to clinical trials databases.

B9 – Trends in Effective Malware Detection and Incident Response

John Otte

John will discuss how data breaches are costly, high-profile incidents. CEOs are more concerned than ever before, the threat is only getting worse, and it’s no surprise that cybersecurity has become a boardroom topic. It used to be enough to protect the IT perimeter, but now one has to presume that the threats are already lurking in your systems. The question is how to find them, negate them, respond to them and protect from them happening again. John will discuss how trends and tools have changed dramatically over the last several years and give a glimpse of how they will continue to evolve in years to come.


John is a seasoned Information Security and data protection professional with over 10 years of Systems Security Audit and controls experience. His vast experience includes over 20 years of Information Technology and engineering experience in the US Government, Department of Defense and the private sector. John’s private sector experience includes assisting clients with assessments related to the Health Insurance Portability and Accountability Act (HIPAA). John has extensive experience in the healthcare and public utility industries. John has led both large and small health insurance companies, providers and hospitals with the assessment of their information processing environments using the HIPAA privacy and security rules as the baseline.

John has also performed a number of large engagements for companies that required experience in dealing with the National Institute of Health, The Center for Disease Control and the Center for Medicare/Medicaid. John’s vast knowledge in Healthcare related issues and challenges enables him to provide cost effective pragmatic solutions to his clients.

John has extensive experience with assisting power and other public utility companies with the assessment of their compliance with the Northern American Electric Reliability Corporation’s (NERC) standards for Critical Infrastructure Protection (CIP). John has led several engagements for public utility companies to help them achieve and sustain compliance with these standards. John’s experience also includes leading numerous financial and regulatory audits, including those involving the Gramm-Leach-Bliley Act. John has vast experience in assessing the design and effectiveness of information protection, data security and internal controls in both commercial and investment banks across the United States. John has also performed incident response and digital forensics work for a variety of commercial and government organizations. His investigation experience ranges from corporate misconduct to high profile criminal cases involving expert testimony.

John is a national speaker on the topic of incident response and specializes in forensics cases related to the Payment Card Industry Data Security Standards (PCI DSS). Much of his recent expertise centers on IT governance and control. His knowledge in the Payment Card Industry Data Security Standards (PCI DSS) has assisted in the implementation of comprehensive compliance programs. John has also helped organizations with technology governance and control by aiding in the implementation of leading IT governance frameworks such as ISO 17799.