2015 Ohio Cyber Security Day Agenda / Speaker Profilesitsecurity.cuyahogacounty.us/pdf_ITSecurity/en-US/... · 2015 Ohio Cyber Security Day Agenda / Speaker Profiles Page 5 of 12

2015 Ohio Cyber Security Day Agenda / Speaker Profiles

Page 1 of 12

Time Sessions

08:30-09:00 AM Registration / Check-in

09:00-09:10 AM

Opening Remarks

Stu Davis – CIO, State of Ohio

09:10-10:00 AM

Keynote(s)

Bob Smock, Vice President, Gartner Consulting, Security & Risk

Kim May, Director, Gartner Consulting, Security and Risk Management

Security Governance Best Practices and Trends in State Government - Most security program failures are not technology-related. Failure is more likely to occur because of poor governance or poor management of the overall program or individual projects. Many security programs lack clear priorities, goals and decision-making processes. As a result, they will likely or already do suffer from cost overruns, timeline slippages, or reputational damage. This not-so-subtle transformation of the public sector enterprise security model is being driven by today’s highly charged business climate with the emphasized need to contain costs, remove obstacles, and to maintain an innovative edge. In such an environment, security controls are many times viewed as obstacles. And the innovative edge usually comes with new technology – and new threats. The key is balance. Gartner is seeing a growing trend in requests for governance assistance as public sector enterprises attempt to migrate away from the traditional definition of strict IT security risk management that includes access control and vulnerability management, and begin to take on the wider scope of business risk management that includes service provisioning and compliance. Gathered from hundreds of public sector security program assessments conducted by Gartner over the past 5 years, this session will provide insight and lessons learned on the leading practices – both good and bad – that are currently being used in the continuing effort to manage the risks faced by today’s governing entities.

10:00-10:10 AM Break

10:10-11:00 AM

Simon Herring - Information Security Consultant, Ubersecure

Why Exercise is Good for Your Security Health - In 2013, a concerned citizen reported a suspicious vehicle on I-71 near an ODOT technology cabinet. A first-responder dispatched to the scene discovered a device connected to a network switch. Phones began to ring, security alerts were triggered, and an incident was declared. What sounds like a complete nightmare for any CIO or CISO was actually a planned event -- an incident response EXERCISE. In this informative session, Simon Herring will share with you what ODOT learned, how to plan your own incident response exercise, and what to expect during testing. You’ll know how to train for the worst, so you can do your best when it really matters.

11:00-11:10 AM Break

11:10-Noon

Brian D. Kelley- CIO, Portage County

Navigating Away from the Land of Business Resiliency Make-Believe: An IT/IS Therapeutic Couch Business Resiliency Counseling Session - This session with explore how we can navigate out of ” Land of Business Resiliency Make-Believe” in the 21

st century and sleep soundly at night knowing we have true business resiliency in place.

Noon-1:30 PM LUNCH – On your own


Page 2 of 12

1:30-2:20 PM

Jeremy Mio - Security & Research, Cuyahoga County

The DDoS War Story: An overview on DDoS war stories, preparation, and survival tips. How major events can turn into cyber attack or just coincidental crossfire.

2:20-2:30 PM Break

2:30-3:20 PM

Sergeant Thomas J. Gerber - Ohio Homeland Security

New Cyber Threats Emerge Every Day: This presentation will provide an overview of Ohio Homeland Security and the Strategic Analysis & Information Center (SAIC). It will then focus on the current cyber threats that are being reported to the center and provide some tips to protect yourself in the current environment.

LTC Teri Williams - Ohio National Guard

The Ohio National Guard – Cyber Security Capabilities: The Ohio National Guard has two cyber security elements (Army: Defensive Cyber Operations Element and a portion of a tri-state Cyber Protection Team) and they are currently applying for a third one (Air Force: Cyber Operations Squadron). The presentation will provide an overview of the team’s last year and it will also discuss the capabilities that our teams bring to the state of Ohio. An optional discussion on Security Onion will be available based on time.

3:20-3:30 PM Break

3:30-4:20 PM

Daren Arnold – Chief Privacy Officer, State of Ohio

Practical Privacy Outlook for 2016: The session will provide a brief overview of the main privacy concepts and then highlight key privacy risks and protection strategies for 2016.

4:20-4:30 PM

Closing Remarks

David Brown – Chief Information Security Officer, State of Ohio


Page 3 of 12

Stu Davis State Chief Information Officer (CIO) and Assistant Director for the Ohio Department of Administrative Services (DAS), Office of Information Technology (OIT)

Stu Davis currently serves as the State Chief Information Officer (CIO) and Assistant Director for the Ohio Department of Administrative Services (DAS), Office of Information Technology (OIT). Stu has a varied background in IT leadership and management, including infrastructure, enterprise shared services, and spatial technologies. Prior to his appointment as State CIO, Stu served as the State Chief Operating Officer and deputy director of the Infrastructure Services Division within DAS/OIT. As the State Chief Information Officer, Stu leads, oversees and directs state agency activities related to information technology development and use. As Assistant Director of DAS, Stu oversees the Office of Information Technology (OIT) which delivers statewide information technology and telecommunication services to state government agencies, boards and commissions as well as manages IT procurement, policy and standards development, lifecycle investment planning and privacy and security management. Stu serves as Chair of the Multi-Agency Radio Communications System (MARCS) Steering Committee that supports voice and data communications for statewide public safety and emergency management. He also chairs the Ohio Geographically Referenced Information Program (OGRIP) Council that provides geographic information systems (GIS) coordination across the state between all levels of government and chairs the Emergency Services IP Network (ESINet) Steering Committee that focuses on Ohio’s Next Generation 911 solution. Stu is a 16 year member and past president of the National States Geographic Information Council (NSGIC). He is a 4+ year member of the National Association of State Chief Information Officers (NASCIO). Stu has served on various NASCIO committees as well as the executive board. He also served as Secretary/Treasurer, Vice President and currently serves as the President. Stu’s career spans 35 years focused on state and local government with 12 years of hands on experience in local government, 18 years in state government and 5 years in the private sector consulting to state and local government on IT/GIS initiatives.

Opening Remarks


Page 4 of 12

Bob Smock, Vice President, Gartner Consulting, Security & Risk

Bob Smock is an experienced consultant with more than 30 years of IT experience with a background in software and infrastructure development and operations, IT architecture engineering and design, and senior/executive-level IT management. His background also includes more than 25 years in IT and information security and mission-critical risk management. He has provided leadership and expertise for numerous successful IT and security projects across a wide spectrum of industries including government, aerospace, defense, financial services, health care, education, insurance, manufacturing, and service providers. Bob currently leads the Gartner Public Sector Security and Risk Management team, with projects stretching across the nation for State and Local government entities as well as Federal. He has conducted or led more than 1000 security program evaluations in numerous commercial and public sector industry verticals. This includes several hundred security strategy assessments conducted for public sector entities over the past five years, which involved the development of organization-specific strategic security architectures and improvement deployment roadmaps. Bob has extensive experience in IT security architecture strategy and security program development and management, including executive management experience. Specific security process experience includes security policy and governance, computer and data protection, identity management including multi-factor authentication, risk analysis and threat assessment, business continuity and disaster recovery, incident response and forensic investigation, training and awareness, intrusion detection and monitoring, IT audit and change management with assurance, PKI and encryption, and secure application development. Bob is familiar with numerous security standards including NIST, (including FISMA, PIV, and HSPD-12), ISO-27001, COBIT, and ITIL security management. Prior to joining Gartner/Burton Group in 2008, Mr. Smock spent 17 years as the CISO and Director of IT Security with contractor management responsibilities for providing the protection of NASA’s ground-based IT resources that supported space operations at several NASA manned spaceflight centers. Before that, Mr. Smock provided program management and technical leadership as director of Rockwell International Information Security Consulting, and was the director of R&D for a private engineering and software development firm. Mr. Smock is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CISM), a certified Project Management Professional (PMP), and is a graduate of the Federal Law Enforcement Training Center (FLETC). He has numerous professional organization affiliations and is also a college-level educator, writer, and public speaker. He holds an approved U.S. Government National Agency Check with Inquiries (NACI) background investigation and (formerly) a SECRET clearance. Mr. Smock also holds a Bachelor of Science degree in Computer Science and Engineering Technology from Texas A&M University.

Keynote Security Governance Best Practices and Trends in State Government - Gathered from hundreds of public sector security program assessments conducted by Gartner over the past 5 years, this session will provide insight and lessons learned on the leading practices – both good and bad – that are currently being used in the continuing effort to manage the risks faced by today’s governing entities.


Page 5 of 12

Kim May, Director, Gartner Consulting, Security and Risk Management

Kimberly May is an experienced project and delivery consultant with more than 20 years of IT experience including more than 10 years in security and identity management. She has provided leadership and expertise for numerous successful IT and identity management projects across a wide spectrum of industries including aerospace, defense, financial services, government, health care, education, insurance, manufacturing, and service providers. Kim has extensive experience leading projects focusing on strategic IT planning, identity management, identity data directories, resource provisioning, multi-factor authentication including PIV credentials, PKI, ERP implementations, project management, messaging, desktop strategies, content management, ITIL, and IT governance. Kim has led over 50 IT infrastructure and strategic architecture projects including multiple infrastructure and security technology implementations, migrations and upgrades. Representative consulting engagements include:

Developed the strategic Information Security and Identity Management Reference Architecture for a major northeast insurance provider.

Conducted infrastructure assessments and used the results to develop full Identity and Access Management Strategies for a major international heavy vehicle manufacturer and a major electricity provider in the Northeast.

Supported a state CIO in developing a directory consolidation strategy and governance model as the foundation for identity management information sharing in support of the state’s 150,000 employees.

Conducted a comprehensive study for a global financial services company regarding cloud-based and hosted messaging services.

Supported a global 100 oil and gas company in development of their enterprise desktop strategy including examination of application and desktop virtualization approaches.

Developed an enterprise MS SharePoint governance model and implementation strategy for a global greeting card manufacturer.

Assisted with Service-Oriented Architecture Strategy development and steering for a nationally recognized secure facility. Participated in guidance during implementation.

Prior to joining Gartner/Burton Group, Ms. May was a senior member of the Strategic Planning and Integration Organization reporting to the CIO of a major aerospace contractor at NASA. As such, Kim was responsible for strategic IT decisions, leadership, and delivery of enterprise technology initiatives including a $10M Identity Management implementation, a $63M Oracle e-Business implementation, a $9.4M PeopleSoft HR and Financials re-implementation, and the initial Active Directory implementation/domain consolidation. Kim also led a number of other strategic enterprise infrastructure initiatives including messaging systems, desktop rollouts, compliance measures and other core infrastructure.

Ms. May is a certified Project Management Professional (PMP) with a Masters Certificate in Project Management from Villanova University and an Executive Management certification from Rice University. She is also a member of the Project Management Institute (PMI). Kim holds an approved U.S. Government National Agency Check with Inquiries (NACI) background investigation and has a Bachelor of Science in Finance as well as a B.S. in Marketing from the University of South Florida.

Security Governance Best Practices and Trends in State Government - Gathered from hundreds of public sector security program assessments conducted by Gartner over the past 5 years, this session will provide insight and lessons learned on the leading practices – both good and bad – that are currently being used in the continuing effort to manage the risks faced by today’s governing entities.


Page 6 of 12

Simon Herring Information Security Consultant, Ubersecure

Simon Herring is cybersecurity expert with over 22 years of experience in vulnerability management and security operations. As a consultant with Ubersecure LLC, Simon provides both business and technical level expertise to a variety of clients, including several billion dollar organizations, US state agencies, healthcare, financial, and manufacturing verticals. Prior to launching Ubersecure in 2010, Simon was the Founder and CTO of a Midwest Security services firm which he started in 2001. He has also worked for IBM Global Services and the US Naval Security Group Activity in Ft. Meade, MD. Simon is a highly sought after professional who consults and speaks on topics ranging from cybersecurity to managing adversity in an unpredictable world. Simon believes people are the real difference makers. When he's not defending the network from bad guys, he helps motivated but overwhelmed professionals reduce their IT and personal risk by increasing their clarity, confidence, and resilience.

Why Exercise is Good for Your Security Health: In 2013, a concerned citizen reported a suspicious vehicle on I-71 near an ODOT technology cabinet. A first-responder dispatched to the scene discovered a device connected to a network switch. Phones began to ring, security alerts were triggered, and an incident was declared. What sounds like a complete nightmare for any CIO or CISO was actually a planned event -- an incident response EXERCISE. In this informative session, Simon Herring will share with you what ODOT learned, how to plan your own incident response exercise, and what to expect during testing. You’ll know how to train for the worst, so you can do your best when it really matters.


Page 7 of 12

No Photo LTC Teri D. Williams G6/IT Supervisor, JFHQ-OH OHARNG Computer Network Defense-Team Lead Commander, 112th Engineer Battalion

LTC Teri Williams is the Defensive Cyber Operations Team Lead for the Ohio National Guard and is also a Battalion Commander for the 112

th Engineer Battalion. She is primarily

responsible for Cyber Security Planning and Operations in the Ohio National Guard. She also manages the Army National Guard networks and telecommunications throughout Ohio as well as all of the tactical communications for the Ohio Army National Guard and security for Ohio’s portion of the DOD network. She has 18 years of experience in military service, including three deployments (two of which were served in Afghanistan as a Brigade S6, equivalent to a CTO/CIO). In the last two years, she has participated in seven cyber security exercises as well as an overseas cyber security planning operation. She has a Bachelor’s degree from Case Western Reserve University and Master’s Degree from University of Maryland University College. Decorations include a Bronze Star and four Meritorious Service Medals. Certifications include GIAC GCIH, CISSP, C|EH, and CISM.

The Ohio National Guard – Cyber Security Capabilities: The Ohio National Guard has two cyber security elements (Army: Defensive Cyber Operations Element and a portion of a tri-state Cyber Protection Team) and they are currently applying for a third one (Air Force: Cyber Operations Squadron). The presentation will provide an overview of the team’s last year and it will also discuss the capabilities that our teams bring to the state of Ohio. An optional discussion on Security Onion will be available based on time.


Page 8 of 12

Jeremy Mio, Cuyahoga County

Jeremy Mio currently works at Cuyahoga County of Ohio directing the Security and Research Department responsible for informational and physical security systems for all County agencies, Boards, Jails, and regionalized municipalities and systems. Jeremy is also co-founder of CodeRed LLC where he is the Principal Cyber Security Consultant. He has been on the Northeast Ohio InfraGard executive board and currently IT Sector Chief. He also serves as Co-Chair for workgroups within the Center of Internet Security and works on various threat data projects for various entities. He previously worked at a Fortune 500 within Risk Management and Security Department focusing on Identity and Access Management. He presents at various conferences addressing cyber security threats in local government and participates in other local/nation security organizations such as the IACSP, OTOA, CCDC, NEOISF, ISC2, ClevelSec, BSides, FBI Citizens Academy, CSOXchange, Ohio Cyber Day, and the Ohio Information Security Summit. In his spare time he enjoys conducting research on Drone capabilities within the evolution of security convergence, working as a tactical weapons instructor, and scuba diving.

The DDoS War Story: An overview on DDoS war stories, preparation, and survival tips. How major events can turn into cyber attack or just coincidental crossfire.


Page 9 of 12

Brian D. Kelley CIO, Portage County

Brian Kelley is in his 25th year as Chief Information Officer at Portage County, Ohio. Under his

leadership, Portage County has received international, national, state, and regional recognition

for highly successful enterprise-wide information technology projects.

He earned his Master of Public Administration Degree from Kent State University and he has

completed the Certified Government Chief Information Officer Program at the University of

North Carolina at Chapel Hill.

In 2012 he was selected as one of the “Top 25 Doers, Dreamers & Drivers in Public Sector

Innovation” by Government Technology Magazine.

He is currently serving as 1st Vice President on the Executive Board of Directors of GMIS

International. With over 400 member organizations across the U.S. and international sister

organizations in six countries, GMIS International is one of the largest professional

organizations for public sector IT leaders in the U.S. He is a past president of the Ohio

County/City Information Technology Association and currently serves as state liaison.

Mr. Kelley is an adjunct instructor with both the Sociology and Political Science Departments at

Kent State University. He is also an assistant lecturer with the Department of Public Service

Technology at the University of Akron.

Navigating Away from the Land of Business Resiliency Make-Believe: An IT/IS Therapeutic Couch Business Resiliency Counseling Session: The reality is that most of us in IT and IS live in the” Land of Business Resiliency Make-Believe”. We have “THE PLAN ” and we may periodically “somewhat” test it. The reality is our business resiliency preparedness is its own disaster waiting to happen within our organizations for far too many of us. Today we are also highly reliant upon a host of service providers whom we think and they think have it all covered when it comes to their business resiliency. We blindly trust them as a plethora of perfect storms hover over our IT landscape waiting to strike with a vengeance.

This session with explore how we can navigate out of ” Land of Business Resiliency Make-Believe” in the 21st century and sleep

soundly at night knowing we have true business resiliency in place.


Page 10 of 12

Sergeant Thomas J. Gerber Deputy Chief of Operations Ohio Homeland Security-Strategic Analysis & Information Center (SAIC) Ohio Department of Public Safety

Thomas Gerber is a 10 year veteran of the Ohio State Highway Patrol. Currently, he holds the rank of Sergeant and serves as the Deputy Chief of Operations for Ohio Homeland Security’s Strategic Analysis & Information Center (SAIC). The SAIC is one of fifty-three primary fusion centers recognized by the U.S. Department of Homeland Security. Its mission is to analyze and share information, increase awareness, reduce vulnerabilities, and develop strategies in order to prevent, prepare for, and protect against terrorism and other threats to public safety. Prior to his assignment with Ohio Homeland Security, Tom was the assistant commander of the Ohio State Highway Patrol’s Criminal Intelligence Unit. In addition to his supervisory duties, he was and is still involved in ongoing technology projects for a shared intelligence database and a DHS sponsored Centers of Excellence program with Purdue University for visual analytics. He has held field assignments where he served as assistant post commander of the Springfield and Toledo Patrol Posts. As a Trooper, he served at the Delaware and Canfield Patrol Posts. Prior to his career in law enforcement, Tom was an information technology (IT) and telecommunications consultant in the central Ohio area where he oversaw multiple technology projects at companies like SBC Ameritech, Verizon Wireless, WorldCom, and Qwest Communications. Tom is also a veteran of the U.S. Navy where he served as an aviation electronics technician. Tom is currently pursuing his master’s degree in strategic cyber operations and information management from George Washington University. He holds a bachelor’s degree in information technology from DeVry University and a bachelor’s in business administration from Mount Vernon Nazarene University. He is married with two daughters and enjoys working on home improvement projects in his spare time.

New Cyber Threats Emerge Every Day: This presentation will provide an overview of Ohio Homeland Security and the Strategic Analysis & Information Center (SAIC). It will then focus on the current cyber threats that are being reported to the center and provide some tips to protect yourself in the current environment.


Page 11 of 12

Daren Arnold, Chief Privacy Officer, State of Ohio Department of Administrative Services – Office of Information Security and Privacy

Daren Arnold is the Chief Privacy Officer for the State of Ohio. Ohio, like most other states, collects a wide range of personal information from birth certificates to death certificates. In the role of chief privacy officer since 2008, Daren is charged under Ohio law with assisting more than 80 state agencies and their data privacy leads with:

conducting privacy impact assessments that evaluate the risks and effects of collecting, maintaining, and disseminating confidential personal information,

complying with state law, including rules on accessing confidential personal information,

adopting privacy protection processes designed to mitigate potential risks to privacy,

establishing policies for the security of personal information, and

developing education and training programs. He has created the Ohio Privacy Advisory Board to address common privacy challenges that span multiple agencies. Daren joined the State of Ohio in 1996 and has provided analysis and advice on matters of information technology policy and law for the Ohio Office of Information Technology. Prior to working for Ohio, he was the lead researcher for NASCIO, the National Association of State Chief Information Officers. He is an attorney, a graduate of the University of Kentucky, and a certified information privacy professional (CIPP-US).

Practical Privacy Outlook for 2016: The session will provide a brief overview of the main privacy concepts and then highlight key privacy risks and protection strategies for 2016.


Page 12 of 12

David A. Brown Chief information Security Officer for the State of Ohio

David leads Ohio’s development and implementation of a comprehensive security strategy for state agencies. He chairs the Chief Information Security Officer Leadership Subcommittee, which is comprised of CISOs from various state agencies. The CISO Leadership Subcommittee works under the direction of the Leadership Management Committee (LMC) and the State CIO and identifies information security priorities and recommends standards, policies and tools to address these priorities at an enterprise level. David has 20 years of experience in Information Technology, 12 years of which have been in the area of information security; including positions as Information security officer for the Ohio Law Enforcement Automated Data System, Chief Information Security Officer for the Ohio Department of Public Safety, and the Deputy Chief Information Security Officer for the State of Ohio.

Closing Remarks

Documents

2015 Ohio Cyber Security Day Agenda / Speaker Profilesitsecurity.cuyahogacounty.us/pdf_ITSecurity/en-US/... · 2015 Ohio Cyber Security Day Agenda / Speaker Profiles Page 5 of 12