Day 2 - June 4, 2025

Keynote: "A Hacking Carol: Ghosts of Cyber Past, Present, and Future"  

Join us for a transformative cybersecurity journey guided by three digital specters. The Ghosts of Cyber Past, Cyber Present and Cyber Future.

By understanding where we've come from in cybersecurity, we gain critical insight into where we're heading. This historical perspective illuminates patterns, reveals recurring challenges, and helps us anticipate emerging threats before they materialize. Just as Scrooge's journey through time changed his future, our awareness of hacking’s evolution empowers us to forge a more secure path forward.

Will you heed the warnings of these digital spirits before it's too late?

Tyler is the founder of Leet Cyber Security, which helps organizations solve their technical cybersecurity challenges. Leet focuses on offensive security services such as Penetration Testing and Red Teaming to secure organizations against real-world attackers. Tyler has more than twenty years of experience in the IT security field across many industries, including healthcare and financial services, with extensive experience in many areas of technical security, including networking, systems architecture, offensive security and penetration testing. Tyler holds industry certifications such CISSP, CCSP, CCNA, CCDA, and MCSE. Tyler has also taught classes for CCNA certification, hacking and penetration testing, wireless security, and network security. Tyler is the founder of ANYCon, Albany New York's Annual Hacker conference. He has been a frequent speaker at industry conferences including NY Bankers Association (NYBA), NYS Cybersecurity Conference, Derbycon, BSides, Rochester Security Summit, ISACA, ISSA, and others.

Data Privacy & Cybersecurity -  State of the Law in 2025

Anna Mercado Clark, Phillips Lytle LLP

Paula Plaza, Phillips Lytle LLP

The constantly shifting legal landscape surrounding cybersecurity is driven by the evolving cyberthreat landscape and legislative and regulatory efforts to address emerging issues and new questions. In this session, Phillips Lytle LLP's Data Privacy and Cybersecurity Team will provide an update on the current state of New York Law governing data privacy and cybersecurity.

Download Presentation Materials for Data Privacy & Cybersecurity -  State of the Law in 2025

NYS Cybersecurity Regulations: Impact on Privacy Policy & Process For Government Agencies and Public Sector Employees

Craig Besnoy, Dunlap Bennett & Ludwig

Joseph Maltino, Spruce Technologies

As cyberthreats continue to evolve, New York State has implemented a series of cybersecurity regulations aimed at protecting sensitive data within government agencies and public sector organizations. This presentation will provide an in-depth exploration of how these evolving regulations—such as the NYS SHIELD Act, Information Security Breach and Notification Act, Part 6220 Cyber Security Requirements for Boards of Elections, and NYS ITS Policy 20-01—impact privacy policies, data security strategies, and compliance obligations. Attendees will gain insights into the regulatory landscape, practical implementation challenges, and proactive measures to strengthen compliance. Key topics include breach notification processes, resource constraints, election security considerations, and future regulatory trends. This session will equip public sector professionals with actionable strategies to enhance their cybersecurity programs while ensuring compliance with state regulations.

Key Takeaways:

1. Understand the evolution of NYS cybersecurity regulations and their relevance to government agencies.

2. Learn how to assess and improve compliance with key regulatory requirements, including the SHIELD Act and ITS Policy 20-01.

3. Explore practical strategies for implementing cybersecurity programs in resource-constrained environments.

4. Gain insights into breach notification processes and best practices for incident response.

5. Prepare for future regulatory changes and emerging cybersecurity threats. 

Addressing the Cybersecurity Gap in ICS/OT: Protecting NYS Critical Infrastructure Panel Discussion

Nicholas Waugh, NYS Division of Homeland Security and Emergency Services Office of Counter Terrorism

Drew Lasater, NYS Division of Homeland Security and Emergency Services Office of Counter Terrorism

Slawomir Marcinkowski, NYSTEC

Kenneth Sill, NYSTEC

Rob Zeglen, NYSTEC

Critical infrastructure brings us safe drinking water, power our homes and businesses, and supports manufacturing supply chains at our most critical ports. New research has uncovered more than 145,000 internet-exposed Industrial Control System and Operational Technology (ICS/OT) devices, where they are facing an increasing number of cyberthreats and incidents. Cyber incidents to ICS/OT environments are popping up on the news with various water treatments being infected with ransomware, and yet only 52% of ICS/OT facilities have an ICS specific Incident Response Plan. 38% of these attacks are coming to the ICS/OT devices from business enterprise IT networks. Join the NYS DHSES Office of Counter Terrorism and their assessment team as they discuss:

• The current ICS/OT Threat Landscape.
• The 5 critical areas to focus on for ICS/OT cybersecurity.
• How ICS/OT requires a different approach.
• What NYS DHSES is doing to keep NY critical sectors safe.

The panel discussion will address these topics and more while allowing some time for audience questions.

Data-Driven Cybersecurity: Enhancing Hygiene, Automation, and Operational Effectiveness

Emma Yeager, Gartner 

Jennifer Pittman-Leeper, Axonius 

Claire Bailey, Tanium

This panel discussion is for executives and technical leaders to explore the foundational principles of cybersecurity and how leveraging better data can significantly enhance cyber hygiene, automation capabilities, and overall operational effectiveness. Panelists will address real-world threats to government and education systems and delve into specific data-driven strategies for improving foundational cyber hygiene practices and enabling more robust security automation. The conversation will bridge policy and practice, offering insights into aligning leadership priorities with the technical realities of utilizing enhanced data to strengthen public sector cyber defense and optimize operational outcomes.

Building an Effective Security Culture: From Awareness to Action

Elijah Cedeno, Multi-State Information Sharing & Analysis Center

Transform your organization's security posture by creating a culture where security becomes everyone's responsibility. This presentation focuses on practical strategies to develop and maintain a security-conscious workforce. Topics will include:

• Security awareness program development

• Measuring security culture effectiveness 

• Employee engagement techniques 

• Incident response communication

• Sustaining long-term security behaviors

ASIA Session 5

Paper: AI-Driven Innovations in Third-Party Risk Management   

Paper: Auditing Strategies for Effective IT Application Portfolio Optimization  

Paper: Detecting Mac Malware by Implementing Machine Learning Algorithm

Data Detour: Navigating Privacy Protections in Digital Solutions

Michele Jones, NYS Office of Information Technology Services

Join us for an insightful session, where we will delve into the essentials of privacy protection and risk management for digital solutions. Learn how to effectively assess privacy risks in digital solutions and discover how these practices can significantly enhance an organizations cybersecurity posture. Whether working in the private or public sector, don't miss this opportunity to gain valuable knowledge and strategies to protect privacy and learn risk principles applicable to all digital solutions.

Regulatory Reality Check: Navigating NYDFS, SEC, CMMC, and Beyond

Tim Tipton, Arctiq

As cybersecurity threats evolve, so do the regulations designed to mitigate them. Organizations operating in New York and beyond must navigate a complex web of compliance requirements—including the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, SEC cybersecurity disclosure rules, and the Cybersecurity Maturity Model Certification (CMMC) for defense contractors. Failing to comply not only increases security risks but also exposes organizations to significant financial and legal consequences. This session will break down key regulatory and compliance requirements impacting businesses today, highlighting recent updates, enforcement trends, and practical steps for maintaining compliance. We’ll explore how organizations can align security programs with regulatory expectations, avoid common pitfalls, and prepare for audits and examinations. Beyond mere compliance, attendees will learn how to leverage regulatory frameworks to strengthen security postures and drive executive buy-in for cybersecurity investments. The session will also provide guidance on anticipating future regulatory shifts and proactively adapting security strategies to stay ahead of emerging requirements. To ensure actionable takeaways, attendees will receive a resource document summarizing key compliance mandates, best practices for meeting requirements, and checklists to enhance regulatory readiness within their organizations.

Key Takeaways:

• Understand the critical cybersecurity regulations affecting New York businesses, including NYDFS, SEC rules, and CMMC.

• Learn how to align security programs with regulatory expectations and avoid compliance pitfalls.

• Explore enforcement trends and real-world examples of regulatory non-compliance consequences.

• Develop a proactive strategy to anticipate and adapt to evolving cybersecurity regulations.

• Receive a practical compliance checklist and best practices guide for implementation.

Download Presentation Materials for Regulatory Reality Check: Navigating NYDFS, SEC, CMMC, and Beyond

Technological Disasters: Rethinking Cyber Incidents in Critical Infrastructure

Munish Walther-Puri, NYU Center for Global Affairs

Cyber incidents in critical infrastructure are hybrid disasters, combining elements of natural and man-made catastrophes. This talk explores these "technological disasters" by comparing the 2024 CrowdStrike outage and the 2017 NotPetya attack, examining their cascading effects across interconnected systems. We'll discuss implications for emergency management, governments, underserved populations, cybersecurity providers, companies, and critically, the insurance industry. The presentation will highlight where traditional insurance models fall short and propose fresh perspectives for managing these complex risks. Critical infrastructure cyber incidents defy traditional disaster categories. The accidental CrowdStrike Falcon update in July 2024 caused global disruption across sectors, crashing 8.5 million systems and halting operations in industries ranging from healthcare to transportation. Similarly, the malicious NotPetya attack in 2017 devastated organizations worldwide, including Maersk and Merck, with cascading effects that paralyzed logistics networks and financial systems. While one incident was accidental and the other malicious, both shared characteristics of "technological disasters." Like earthquakes triggering tsunamis, these incidents originated from a single event but rippled through interconnected systems with devastating consequences. Their hybrid nature—combining elements of human error, technological vulnerability, and systemic interdependence—creates unique challenges for emergency management, resilience planning, and insurance models alike. By reframing these events as technological disasters, we can better address their complexity and develop more effective strategies for response, recovery, and management.

Where and how AI, ML and Generative AI are providing unique value for security practitioners (and where they aren’t!)

Allie Mellen, Forrester Research

Generative AI is everywhere, even in security tools. Every security professional needs to understand it, yet there's constant confusion over what it is, how it works, and what value it can really add. In fact, we find that security analysts are not necessarily getting everything they were promised with these new capabilities. Further, as useful as generative AI can be, it also poses its own set of challenges: with trust, cost, and accuracy. In this talk, we share from our research and experience advising the Fortune 500 on how to best use generative AI in security tools. We delve into the current capabilities, the biggest misconceptions and challenges, and what is on the horizon for future capabilities. Join us for a refreshing and honest take on how AI is and will change security operations.

Download Presentation Materials for Where and how AI, ML and Generative AI are providing unique value for security practitioners (and where they aren’t!)

Automated User and Device Onboarding: Why it Matters

Ryan Young, Vandis

The process of onboarding and offboarding employees and devices is inherently complex and often time-consuming, requiring the careful coordination of multiple teams to ensure proper access rights are established and revoked. These steps are crucial for reducing security and compliance risks while also accelerating the time it takes for new hires to make a significant impact. In many organizations, the onboarding process involves numerous manual tasks, such as setting up user accounts, provisioning devices, and configuring access permissions. These tasks can be prone to errors, leading to potential security vulnerabilities and delays in getting new employees up and running. Similarly, the offboarding process must be handled with precision to ensure that access rights are promptly revoked, and devices are properly decommissioned. Regular privilege re-authorization checks can be automated to enforce the principle of least privilege throughout the organization. This ensures that employees have only the access they need to perform their jobs, reducing the risk of unauthorized access and potential security breaches.

Attend this session to learn how automation can play a significant role in streamlining these processes. We’ll review the benefits of automating repetitive tasks and discuss how integrations with existing systems can reduce the time and effort required for onboarding and offboarding. 

• Improve efficiency 

• Enhance security 

• Accelerate time to impact of new hires

• Real world examples and Use-Cases

ASIA Session 6

Paper: A Framework for Financial Markets Impact Assessment of Data Breaches Using Interpretable Machine Learning and Event Study Methods

Paper: AI to the Rescue: How to Outsmart Risks   

Paper: Generative AI Security, Automating Prompt Injections

The Business of Privacy; Is your organization in jeopardy?

Michele Warner, NYSTEC

Jeffrey Wilson, NYSTEC

Sam Dikeman, NYSTEC

Todd Brasel, NYSTEC

Kayvan Karimabady, NYSTEC

Natasha Almanzar-Sanchez, NYS ITS

Members of the NYS ITS Privacy Office and the NYSTEC Cybersecurity and Data Privacy Practice will lead you through the intricacies of the privacy world using the fun and familiar Jeopardy interactive game format. Attendees will learn about privacy, from the basics, to the implications of Artificial Intelligence (AI), to the critical relationship with our information security partners. We will share best practices to help you identify and manage privacy risks, ensure appropriate use of AI, draft and conduct a Privacy Impact Assessment (PIA). We will also help you understand the basics of various privacy regulations and build the privacy and security program that your business needs.

Download Presentation Materials for The Business of Privacy; Is your organization in jeopardy?

The Evolution of Security Operations: What's Working, What's Not, What's Next

John Anthony Smith, Fenix24

Cybersecurity operations and tools have never been more critical or complex. Security teams are racing to keep up as modern cyberthreats grow in speed and sophistication. This leaves security teams overwhelmed by noisy alerts, tool sprawl, shifting attack surfaces, and ineffective and incorrect orchestration of security tools and software. This session takes a hard look at the evolution of security operations, including what’s working well, what continues to fail security providers and, thus, their customers, and what the next phase of security operations needs to look like to stay ahead of modern threat actors — with an emphasis on deployment and proper orchestration of an immutable data backup strategy to survive attacks.

Keeping your AI in check: No, it shouldn't know your passwords.

David Santeramo, Mainline Information Systems

Artificial Intelligence (AI) is rapidly transforming industries and societies worldwide, offering unprecedented opportunities and benefits. However, the deployment of AI systems also introduces significant security risks and challenges. This presentation will delve into the critical aspects of AI security, with a particular emphasis on risk management and governance frameworks. We will explore the types of risks associated with AI, including data breaches, adversarial attacks, and compliance challenges. The discussion will cover the potential vulnerabilities in AI systems and the impact these risks can have on organizational operations and trust.

Robust AI Security: Balancing Innovation and Confidence in Dynamic Threat Landscapes

Leo Cruz, Cisco Systems

This presentation provides practical frameworks for developing robust security strategies in the face of evolving AI threats. We address the critical balance between fostering innovation and ensuring confidence through proactive security measures. Topics of interest include, but are not limited to, threat modeling for AI systems, secure development methodologies, scalable security architectures, and the cultivation of security-first cultures. We aim to identify and mitigate emerging threats without hindering the transformative potential of artificial intelligence.

Values-Driven Cybersecurity: Nerdy Fanatic to Empathic Pragmatist

Gary Braglia, OrbitalFire Cybersecurity

Let’s face it: cybersecurity has a branding problem. It’s often seen as an endless parade of doom-and-gloom stats, impenetrable jargon, and perfectionist ideals that overwhelm most small businesses. Soul-less and devoid of heart. But here’s the kicker—your customers don’t want a fanatic with a megaphone; they want a partner who gets them. In this talk, Gary Braglia, VP, Services at OrbitalFire Cybersecurity, will share how technologists can evolve from over-caffeinated tech enthusiasts to values-driven cybersecurity champions. It’s about swapping ‘nerd’ for connection—building strategies rooted in trust, empathy, and business reality. Gary will break down how aligning your security strategy with company values can create longer-lasting cyber awareness adoption, better outcomes, and a reputation that says, “we do unto others.” Join us as we dismantle the myth of the infallible tech hero and embrace the practicality of empathic pragmatism designed for small businesses. Spoiler alert: being relatable (and knowing when to call for backup) is your ultimate security tool.

Download Presentation Materials for Values-Driven Cybersecurity: Nerdy Fanatic to Empathic Pragmatist

ASIA Session 7

Paper: Context based IAM for AI Chatbots in healthcare: Enhancing Security in AI enabled Patient Navigation

Paper: AI Governance and Cybersecurity in the Healthcare Sector: An Evaluation of the Role Governance Frameworks and Cybersecurity Measures Play in the Implementation and Use of AI in Healthcare Systems

Paper: Cybersecurity in the Pharmaceutical Industry

Protecting Personal Information from Cyber Criminals in Local Government Online Records: The Privacy Paradox

Dr. David Byrne, St. John's University

In the United States, local state governments are required to provide open access to their records; however, these files often contain personal information that is attractive to cybercriminals. Balancing e-access while maintaining privacy is a paradox that has been exacerbated by the Internet and presents a real challenge to entities in managing their public records. The ability of any person with internet access to search hundreds of records remotely without visiting the actual repository voids the practical obscurity once enjoyed by individuals when these files were originally only available in a physical format and archived in local courthouses. A reevaluation of the process of offering access to public records is needed to ensure that personal information is safeguarded. To understand the scope of the issue, this research sought to determine the types of personal information that is available, the methods employed by local and state agencies to protect the privacy of their citizenry, and to propose a framework for which all U.S. state governments can implement to prevent the release of sensitive personal data.  Through the utilization of a qualitative hypothetico-deductive methodology of content analysis with grounded theory, 500 online public records were collected from five randomly selected states that covered five different record types to ascertain the extent and complexities of the situation. The results indicate that there is a tremendous amount of sensitive information that freely exists in local government online public records, and more needs to be done to protect them from cybercriminals.

Let’s Get Tactical - What it Takes to Fight Fraud in Government Programs

Jeffrey Baez, Splunk, Inc.

Government benefits program administrators face the critical challenge of balancing strong security with seamless user experiences amid evolving cybersecurity threats. Today's government agencies are facing greater financial risk due to an increase in both internal and external fraud. While some institutions are using traditional security tools to detect certain types of fraud, the vast increase in the types of fraud requires a different approach to build out a comprehensive program that detects a greater number of threats. A modern approach to fighting fraud requires that we not only focus on the detection of indicators of compromise but also uses data to detect anomalies in usage patterns that increases the accuracy of those alerts. Attendees will learn: 

• What types of fraud are on the rise across government benefit programs
• An overview of a data-centric approach to fighting fraud
• How to identify and stop fraud in government benefits programs

We will cover the following concepts:

• Standardized Scoring: Using a standardized scoring system for different risk levels, which can be easily updated or recalibrated as new data becomes available.
• Weights and Accelerators: Utilizing a framework that incorporates flexibility through the use of weights and accelerators. These can be adjusted based on evolving understandings of fraud patterns or the introduction of new detection technologies.
• Adaptable to New Data: As more data is collected, the risk scoring model can be further refined and trained to better predict fraud.
• Thresholds for Action: Setting clear thresholds for different risk levels, guiding the response to potential fraud. These responses can range from additional monitoring to active investigation.
• Comprehensive Detection Types: By covering various detection types, the risk model creates a comprehensive view of potential fraud that accounts for a wide range of fraudulent behaviors.
• Dynamic and Proactive: The framework supports dynamic risk scoring, which can proactively adapt to new threats and changes in the fraud landscape without needing a complete redesign.
• Transparent and Explainable: The risk model uses clear and explainable factors, making it transparent for analysts, investigators, and auditors to understand why a particular score was given.

Cloud Under Siege: Defending Against Cyber Threats in the Cloud Era

Michael OConnell, Aspire Technology Partners

This session will provide a deep dive into the evolving cybersecurity threats targeting cloud environments and equip attendees with actionable defense strategies. We’ll explore real-world attack scenarios, best practices for cloud security, and emerging technologies designed to mitigate risks.

Secure your software development lifecycle with AI

Brett Sagenich, Black Duck

The software development landscape is undergoing a significant transformation with the advent of Generative AI. As AI becomes increasingly integrated into DevSecOps, it's essential to develop strategies for safe adoption and responsible use. Recent analyses from Google and Microsoft show that Generative AI can lead to significant productivity gains, 50% overall increase in developer productivity, 25% faster deployment pipeline, and more. With the Generative AI paradigm, traditional software development lifecycle (SDLC) has an additional phase, “Assistance from Generative AI” which presents both risk and opportunity. As a provider of software risk management solutions, Generative AI in a software development context is inherently part of our mission and joins the traditional code pillars of proprietary, open source, and third-party code in needing a risk management strategy. That strategy starts with an understanding that AI coding assistants leverage large language models (LLMs) that have been trained on publicly available source code, including millions of lines of open-source. Due to this training, AI-generated code suggestions can contain software assurance weaknesses, security vulnerabilities, and potential IP infringement risks associated with copyrights and licenses associated with the training data. In this session we’ll cover how the Black Duck R&D team has integrated Generative AI coding tools into our development processes and our security governance. We’ll also cover the emerging topic of AI bill of materials (AI-BOM) and how an AI-BOM aids in standardization of AI usage. We’ll conclude with strategies that we’ve developed for the safe adoption and maintenance of AI generated code.

Prompting Secure Behavior: Security Awareness Training with AI

John Trest, Inspired eLearning | VIPRE Security Group

Tre Fears, Inspired eLearning | VIPRE Security Group

Join our session as we explore the new benefits and threats of Generative AI tools in security awareness training. Discover how AI can empower trainers to streamline training creation, improve training quality, and bolster training reinforcement. While AI tools offer immense benefits, understanding their limitations is crucial. We'll delve into the boundaries of AI in training development, emphasizing the need for human judgment and the application of adult learning principles. Additionally, we'll discuss how AI is reshaping the cyberthreat landscape in the workplace, as well as how you can equip employees with the knowledge to recognize and mitigate these emerging threats.  

Audience key takeaways include:

• What AI tools are out there and how they can help you produce and/or enhance your Security Awareness training.
• The limitations of AI tools and training in adult learning.
• AI’s effects on the cyberthreat landscape in the workplace and what employees need to be aware of.

ASIA Session 8

Paper: Quantum-Augmented Self-Adaptive Networks (QASANs): A Paradigm Shift for Information Assurance in the Post AI-Quantum Era

Paper: A Firewall Game for Novice Students

Paper: Innovative Auditing Practices: Evidence from Emerging Technologies