The Compliance & Risk Management Track is designed for information security managers and C-level executives such as CISOs that have responsibility for shaping the security practice within their organizations. This track focuses on security strategies, risk management techniques, legal issues, and security compliance / standards.

C1 – “What would you say…you do here?” Explaining Security to Management – and Vice Versa

Matt DeMatteo

Many information security programs are still under resourced despite an awareness of the risks of poor security. One reason is that most information security programs fail to provide sufficient evidence to senior management that resources are needed, effectively spend, and that the program improves over time. All these elements are required for proper governance – and governance is the exercise that senior management uses to evaluate, spend and allocate budgets. The disconnect between information security programs and senior management is so great, that in many organization’s, both sides are not only unaware the problem can be fixed, they are unaware there is a problem.

This presentation will explain how this disconnect came to be, why this disconnect persists, and what can be done about it. We will examine governance and the language of oversight – metrics, KPIs, KRIs, and SLOs – and explore how embracing governance improves security programs. Security leaders will hear a new take on how senior management thinks about security programs. Security practitioners will learn what they can do to not only improve their program, but build better resumes and careers.


Matt DeMatteo is a Principal Security Architect at Dell SecureWorks. He has worked in a pre-sales and post-sales capacity with hundreds of information security groups around the country to improve security outcomes.

C2 – Vendor Risk: The Back Door You Can’t Leave Unlocked

Keith Robertson

As we’ve seen time and time again, cybercriminals take the path of least resistance. Based on recent high profile breaches, hackers have learned that contractors and other third-party providers can provide an opening into otherwise-secured corporate networks. You’ve spent time, money and energy securing your organization internally, only to have the back door left wide open. How can you extend your internal security controls to your vendors and help reduce your organization’s risk? Join GreyCastle Security for an in-depth look into vendor risk management. Learn what’s working, what’s not, and how your organization can better manage one of the most challenging security issues facing organizations today.


Keith Robertson (CISM, CIPP/G, NSA IAM, GSEC/GCIH, GSSGB, HITRUST) is a Security Strategist at GreyCastle Security. As a senior level technology, information security and risk management professional, Keith has over 15 years’ experience in developing, implementing, and managing security solutions for financial, healthcare, retail, manufacturing, telecommunication, energy, travel, information technology, and other industries.

Keith has extensive knowledge of HIPAA, PCI, HITRUST, HITECH, ISO, SOX, COBIT, NIST, FISMA, CMS, GLBA and ITIL standards/regulations ranging from risk management, incident response, and regulatory compliance that can be applied to network, application, and physical security.

C3 – Managing Cyber Risk from a Legal Perspective

F. Paul Greene

The risk of a data incident is ubiquitous and growing, yet it is a risk that can and must be managed. This presentation addresses cyber risk from a legal perspective, addressing issues including state and federal data protection and data breach notification laws, preservation of evidence and attorney-client privilege, interaction with law enforcement and regulators, insurance coverage, and the ever-present risk of data breach litigation. Through this presentation participants will learn about the changing legal landscape in relation to data breaches and incidents, the importance of planning for the inevitable breach, and how best to manage and potentially mitigate risk, if and when the breach occurs.


F. Paul Greene is Chair of the Privacy and Data Security Practice Group at Harter Secrest & Emery LLP. Paul represents entities of all sizes and in various industries, in relation to cyber-security issues. From pre-breach counseling to breach response coaching, Paul has been involved in all aspects of the breach preparation, response, and remediation process. His background as a commercial litigator serves him well, allowing him to have an eye toward potential litigation/regulatory risk, preservation of evidence, and attorney-client privilege in all of his cyber security matters. Paul presents and publishes regularly on cyber security issues.

C4 – Custom Frameworks, Compliance, and Critical Controls

Michael Montagliano & Jeanne Morelli

This presentation outlines control frameworks; specifically NIST 800-53 Rev 4 and the subset of the 20 Critical Controls. During the presentation we will review the nature of the controls, the Concept of Operations, how to measure the risk tolerance and how to categorize systems to which the Controls will be applied. Based on our engagements with our clients, we will also review how the Controls can be tailored to the organization, including references to Compliance requirements. Organizations are required to adhere to compliance guidelines, many of which overlap. This strategic direction provides a framework which addresses multiple compliance requirements, provides an audit guideline and directs the security posture for the organization.


Michael Montagliano joined IV4 in November 2011 following over 20 years of information technology experience in various sales, technical, and management roles. As Chief Technology Officer, Michael is responsible for the overall technology strategy and execution at IV4. As VP of Consulting, Michael performs information technology assessments and architectural design services. With subject matter expertise in security and disaster recovery, Michael and his team have been engaged with organizations nationwide.

Jeanne Morelli is the Vice President of Operations and Senior Business Technology Consultant at IV4. In her role as consultant she also is contracted as a Virtual CIO guiding other organizations to develop and maintain the most up to date technology standards and procedures.

With over 20 years of experience in IT, her roles have included sales, solution development, technical and project management and consulting. As a consultant, Jeanne has worked with clients on IT strategy development, security assessments and remediation, business process development and workflow automation. As the Vice President of Operations at IV4, Jeanne also works with the team to develop managed solutions that provide clients continuing visibility into their networks, applications, WAN and security.

Using her technical experience and background in NIST 800-53 version 4 and other methodologies, Jeanne has worked with large universities and private organizations to develop their security control frameworks. Her belief is that this is a holistic approach, including both the organization’s compliance requirements and acceptance of risk. No two are alike. As with any consulting engagement, the focus is on the client and their business needs and capabilities, ensuring that their security posture is thoroughly developed.