The Rhode Island Corporate Cybersecurity Initiative (RICCI) is part of the Pell Center’s Cyber Leadership Project—an ongoing effort to provide thought-leadership, policy recommendations, and in-depth research in the ever-expanding field of cybersecurity. RICCI is designed to develop senior business leaders and decision makers who can affect change and make Rhode Island’s business community and critical industries more secure and resilient to cyber incidents.
By bringing together Rhode Island senior leaders from across defense, financial services, technology, transportation, healthcare, energy, telecommunication, but also law enforcement and government agencies, this initiative intends to: address the most critical cybersecurity challenges to the private sector; encourage cybersecurity awareness and training; promote best practices, business continuity and resiliency planning; and develop approaches to share cyber threat information and assure legal and regulatory compliance.
RICCI takes advantage of New England’s outstanding academic, industrial, and research resources to develop the next generation of cyber-strategic leaders, who understand the technical, ethical, legal, and compliance issues regarding cybersecurity, and to devise innovative solutions to secure Rhode Island’s organizations and the nation’s private infrastructure.
For more information, or to register for an upcoming event, contact Francesca Spidalieri, Pell Center senior fellow for cyber leadership.
February 23, 2017
Incident Response Preparedness Workshop
Your security staff has just informed you that they have found evidence of a potential data breach… How confident are you in how your team will respond and mitigate the effects? Do you suddenly fear the worst? How will your organization endure the potentially devastating effects of a data breach? The future growth, success, and existence of your organization may depend on how well you handle the situation. During this workshop, Tony Kirtley, Sr. Incident Response Consultant at SecureWorks, will share best practices and lessons learned from the field on must-have’s for incident response in the private sector and in government.
March 15, 2017
Cybersecurity & Healthcare Tabletop Exercise
8:30 a.m. Registration and Networking Breakfast
9:00 – 2:00 p.m. Tabletop Exercise (lunch included)
Partners: SecureWorks, Newport County Chamber of Commerce, PreparedEx, CVS Health
Media headlines in the past year have shown an increased number of cyber attacks targeting hospitals, healthcare insurance companies, and other systems that manage medical records. According to reports, over 155 million Americans have already had their personal health information (PHI) breached or accidentally disclosed since 2009, and these trends are expected to grow in 2017 due to the lack of security of the majority of medical systems.
A data breach in the healthcare sector can have not only financial and reputational effects on the company targeted, but can also be extraordinarily harmful to patients due to the nature of the information disclosed. Understanding the importance of properly protecting PHI information and mitigating cyber risks is a must for operators of the healthcare industry. This dedicated cybersecurity tabletop exercise will provide healthcare providers, practitioners, insurers, and government agencies greater insights into the challenges and potential responses to the growing cyber threat. We believe that you and others in your organization can make a significant contribution and gain new response strategies from this exercise.
The tabletop exercise will run a series of cyber intrusion scenarios to identify weaknesses common in the healthcare industry, show how different cyber threat vectors can infiltrate even the most sophisticated computer systems and networks, and explore possible remedies and incident responses.
There are no IT pre-requirements necessary to participate to this event as the target audience includes senior managers, security directors, CISOs, CIOs, communication and HR personnel in the healthcare sector who may play a role during a cyber incident response and recovery. Organizations participating to the exercise should plan to bring two representatives with different roles and responsibilities within their organization in order to better represent both the managerial level and the IT department. The expected outcome of this exercise is to better identify specific cybersecurity issues facing the healthcare sector that can lead to industry-driven solutions.
January 26, 2017
Data Privacy Day: How to Create a Culture of Privacy & Security Within Your Organization
Speaker: Linn F. Freedman, Chair of the Data Privacy & Security Team at Robinson & Cole LLP
The Pell Center joined the 2017 national Data Privacy Day (DPD) campaign, an international effort held annually to raise awareness about the importance of privacy and data protection. As part of this effort, we partnered with data privacy & security expert Linn Freedman to host a special seminar on “How to Create a Culture of Privacy & Security within your Organization.”
This session focused on practical tips and a roadmap on how to address the increasing risk of data management, how to build data privacy and security into the company culture, and how to engage employees to be part of the process. Ms. Freedman, a leading lawyer in cybersecurity, brought her industry leadership and experience counseling global corporations to discuss how to protect an organization’s brand, value, and assets in the face of growing data breaches and ransomware attacks. She also provided practical questions for senior executives to ask IT and HR departments and vendors about policies and processes in place to protect company data and clients’ information.
December 14, 2016
Identity Fraud Happens to Everyone: So What Do You Do When It’s Your Turn?
Keynote: Adam Levin, Chairman and Founder of IDT911 and Author of “Swiped”
Increasingly, identity theft is a fact of life. We might once have hoped to protect ourselves from hackers with airtight passwords and aggressive spam filters, and those are good ideas as far as they go. But with the breaches of huge organizations like Target, JPMorgan and even the US Office of Personnel Management, more than a billion personal records have already been stolen, and chances are good that you and your organization may already be in harm’s way. This doesn’t mean there’s no hope. Your identity and those of your employees and customers may get stolen, but it doesn’t have to be a life-changing event. Mr. Levin provided a method to help organizations and individuals keep hackers, phishers, and scammers from becoming what will keep you up at night.
November 29, 2016
Understanding Cyber Threats – from the Boardroom to the Workforce
Session I “Cybersecurity and Corporate Leadership: Connecting the Server Room and the Boardroom”
Scott Baron, Chief Information Security Officer at Finance of America Holdings
Information security is both a business risk management and governance issue that connects technology, business management, and the boardroom. Senior leaders can no longer ignore the clear link between cyber attacks and their impact on customers’ trust, brand value, revenue, and profits. Plausible deniability, lack of awareness about information risk, and treating cybersecurity as a mere ‘IT problem’ are no longer acceptable options. CEOs and company boards are accountable for the health of their organizations and for setting levels of risk for their companies. They are also responsible for building a team of trusted information security professionals able to implement a security program that meets risk and governance requirements and that routinely report to the C-suite on the company’s cybersecurity posture.
In this keynote speech, Mr. Baron discussed why corporate leaders must understand how cyber risks are being addressed within the company and what the information security staff should be doing to communicate issues, solutions, and progress in addressing those risks. He also discussed legal liability issues for board members and executive management, and delved into the skills and knowledge needed to be an effective Chief Information Security Officer (CISO). Going forward, senior leaders need to understand their increasing role and visibility in their organization’s overall cybersecurity risk posture; while information security professionals will be required to provide meaningful and actionable information to leadership so that effective risk-based actions can be taken.
Session II “Profiles in Cybercrime: Understanding the Adversary”
Joe Provost, CEO, Syncstate
There have been numerous studies written about the psychology of a hacker or cyber criminal. Rather than trying to profile a specific group or individual, companies should be reviewing the information they already have that may be of value and try to understand how the adversary may manipulate their system or computer network to infiltrate it, so that they can put the right measures in place to safeguard it.
In this talk, Mr. Provost examined three case studies of cybercrime and cyber-enabled crime to better understand the adversary and their particular “how-to.” This approach can help companies profile their own security environment and deploy specific lines of defense that may interrupt the adversary’s mission.
Session III “When Good Tech Goes Bad”
Dan Gortze, Security Manager – SRC Incident Response & Forensics Consulting at SecureWorks
You have spent significant financial and human resources to configure and protect your network and digital assets, purchased several new security tools and software, and now you’re wondering if those technologies will be able to protect your organization against potential cyber intrusions.
In this talk, Mr. Gortze examined real-life scenarios in which security technologies failed, and even worst cases where threat actors used an organizations’ own security technologies against them. Dan will not focus on the pros and cons of particular technologies, but rather examine the need for proper security architecture and the residual risk posed by the required pervasive visibility of many security technologies. He will also share experience and insights from the field.
October 24, 2016
Panel Discussion: “Hacking the Election”
In recent years, state-sponsored hackers and proxies have breached targets from the White House to the State Department to the Office of Personnel Management (OPM) to the DNC, and attacks against electoral candidates and the parties they represent are likely to continue up until the presidential election in November and beyond. More troubling is the possibility that foreign governments may seek to manipulate election results directly or indirectly by affecting turnout, disrupting election sites, and ultimately undermining confidence in the US electoral system itself.
A panel of distinguished experts discussed these and other timely issues on the ability of the US government and local state jurisdictions to maintain the confidentiality, availability, and integrity of our most sensitive information systems and networks.
October 5, 2016
Seminar: “Most Pressing Cybersecurity Challenges & the Evolution of the CISO”
Today’s cyber threats are growing in complexity, scope, and intensity. The pressure on organizations and their CISOs to protect every aspect of their business line is likewise increasing. This can often result in the CISO becoming distracted, losing focus, and missing the point of their role. On top of those challenges, the role of a CISO is evolving under his/her feet. Organizations and their CISOs need to evolve to keep pace with this dynamic and changing landscape. From tactical focus areas to meeting Boardroom-level requirements, this seminar will identify today’s most pressing cyber threats and the common pitfalls faced by CISOs and their IT department. It will also provide a roadmap to ensure CISOs can succeed in their efforts to protect their organization’s most sensitive digital assets, and discuss the steps they should take to understand their business environment and execute their mission.
May 3, 2016
Executive Seminar: Understanding Cyber Threats in the Boardroom
This Executive Leadership Seminar focused on issues at the intersection of cyber risks to the private sector, cyber preparedness, resilience, cyber liability insurance, workforce development, and regulations and compliance issues. This seminar was designed to help boards of directors ask the right questions of their chief information security officer, technology partners and vendors.
April 14, 2016
Panel Discussion: Risks and Cyber Threats to the Healthcare Industry
A panel of experts discussed cyber risks and threats to the healthcare sector. Speakers shared tips and advice on how to prevent, respond, and mitigate cyber threats to the healthcare industry, and provided a unique perspective on the overall costs of failed compliance and compromises and on the development of holistic cybersecurity and privacy plans.
March 23, 2016
Seminar: Crisis Communications for Data Breach Incidents: Exploring Recent Events, the Value of Crisis Communications for Reputation Management, and the Nuance of Messaging to Prevent Litigation
The escalation of data breach incidents has brought crisis communications to the forefront of regulatory compliance, legal, and brand protection issues. The bottom-line is that cyber incidents are going to happen and your organization must be prepared for this type of events and have a clear, practiced response and crisis communication plan in place in order to survive a cyber incident and minimize the damages to its value and brand. Melanie Thomas discussed recent data breach incidents and the best ways to help clients and stakeholders prepare for these types of events.
February 10, 2016
Seminar: When Good Tech Goes Bad
You have spent significant financial and human resources to configure and protect your network and digital assets, purchased several new security tools and software, and now you’re wondering if those technologies will be able to protect your organization against potential cyber intrusions.
During this seminar, Daniel Gortze, Dell SecureWorks Senior Manager, examined real-life scenarios in which security technologies failed, and even worst cases where threat actors used an organizations’ own security technologies against them. Dan did not focus on the pros and cons of particular technologies, but rather examined the need for proper security architecture and the residual risk posed by the required pervasive visibility of many security technologies. He also shared experience and insights from the field.
December 8, 2015
Tabletop Exercise: Surviving a Cyber Attack: Preparedness and Resiliency in Action.
Keynote speaker: Peter Neronha, U.S. Attorney for the District of RI
What should corporate executives, and general counsels in particular, do when their company is the victim of a cyber attack? If a client hasn’t called upon you to help them respond to a cyber incident yet, it will likely happen soon. Do you know what vulnerabilities are most critical to protect? Are you prepared to take action for a client asking for help in response to a cyber attack?
Our panel of experts took attendees through a simulated cyber attack and different possible scenarios, and provided considerations and tips for legal counsels. The panel also discussed best practices for incident response, including issues that often arise when working with law enforcement and the set of guidelines that should be followed regarding cybersecurity risks and incidents. Panelists addressed disclosure obligations under current securities laws—some of which may require a disclosure of cybersecurity risks and incidents in financial statements—and the pre- and post-breach guidance that will shape the way Boards of Directors address fiduciary obligations as part of corporate governance.
Attendees left with the road map on how to advise their clients facing a cyber attack—how to respond, remediate, and survive.
This program was approved for 4.0 Rhode Island MCLE credit hours.
November 10, 2015
Seminar: “Cyber Liability Insurance and Regulatory Compliance: Everything your Company Needs to Know to Navigate Advanced Cyber Threat, Regulatory Impacts, and Post-breach Strategies”
Advanced cyber threats call for innovative approaches to combat data exposures or manipulation, hacks, insider threats, disruption of service, and other dangers to your company and your sensitive data. As tactics to breach a system or steal sensitive information morphs, so must a company’s strategies in order to defend itself and be prepared to respond to a significant cyber incident.
Attendees heard from local IDT911 Chief Executive Officer Matt Cullina and IDT911 Chief Privacy Officer Eduard Goodman about contemporary approaches to best defend their company from emerging cyber threats and to prepare for potential breaches. Together, the pair will led a lively discussion about the regulatory impacts of cyber security and data breaches, real-life breach scenarios as witnessed through case work with IDT911 clients, and the most advanced ways to combat threats through the use of progressive mitigation strategies and cyber insurance coverage options.
IDT911™ is the leading provider of services that help businesses and their customers defend against data breaches and identity theft, and services more than 660 client partners and 17.5 million households in the United States. Based in Scottsdale, Ariz., the company has several locations in the U.S., Canada and U.K.
October 14, 2015
Panel Discussion: Cybersecurity, the Internet, and the U.S. Presidential Race
The next president will inherit leadership of a nation that it is still the most powerful in the world, but that continues to face challenges to its economic and national security of staggering proportions. Among some of the most pressing challenges are the growing scope, pace, sophistication, and impact of cyber threats. The events of the past year, including numerous breaches into major retailers, rampant theft of intellectual property, cybercrime, cyber disruption activities against United States’ top financial institutions, and destructive cyber attacks like the one against Sony Pictures Entertainment, clearly demonstrate the need to accelerate collective efforts to increase our nation’s cybersecurity and to preserve the promise of ICT investments and the Internet economy.
A panel of distinguished and internationally known experts discussed these and other timely issues on the future of U.S. cyber policy.
June 9, 2015
Workshop: “Top 10 Cyber Threats: How Do They Work? What Are Some Of The Most Overlooked Vulnerabilities? And How Can You Protect, Prevent And Mitigate Some Of These Cyber Risks?”
You have spent many hours trying to configure and protect your network and digital assets, purchased several tools, and now you are wondering: what is next? Am I actually protected and am I looking for the right indicators of a potential cyber intrusion?
Joe Provost, CEO of Syncstate, walked participants through the use of several open source tools as part of a SOC/threat/monitoring program that you can implement. He discussed what the tools can and cannot do and how best to deploy them. The goal was to provide participants with several tools, tactics and procedures that they can use within their own organization to build confidence in their cybersecurity strategy and mitigate some of the most common risks. No technical background is needed to participate to this workshop.
May 19, 2015
Lecture: “Cyber Risk Management: U.S. Government And Private Sector Efforts”
The U.S. government has made cyber risk management a key part of its cybersecurity efforts. The NIST Voluntary Cybersecurity Framework, a centerpiece of the Obama administration’s executive order on cybersecurity, was released in February 2014 as a tool to help companies manage their cyber risk more effectively. How has the framework been received by industry, and has it helped companies manage cyber risk in today’s threat environment? What is the status of the administration’s other cyber initiatives? How are corporate boards responding to the need to manage cyber risk? What is their responsibility to do so?
Roger Cressey, partner with Liberty Group Ventures and internationally known cybersecurity and counterterrorism expert, and Kiersten Todt, president and managing partner of Liberty Group Ventures, will explore these and other important and timely issues surrounding cyber risk management in an interconnected workplace.
Registration: This is an invitation-only event and participants must be confirmed in advanced. Please RSVP on our Eventbrite page by Monday, May 18.
Roundtable Discussion: “Ensuring Security When Working With Third Party Vendors”
The speakers explored some of the cybersecurity risks of working with third party vendors and discussed how to evaluate and manage them to enable business objectives. National Grid’s Michael Andreozzi, IS compliance manager, and Scott Baron, director, governance risk and compliance, examined important steps companies can take to identify risks of potentially insecure service providers, and options to mitigate those risks as part of their decision making process. They also engaged the audience in an open and frank discussion about third party management policies and strategies already in place in some of the other organizations represented in the room, from both the private and public sectors.
Panel Discussion: “Enterprise Cybersecurity Workforce Management”
The speakers discussed ways to optimize enterprise resources, prioritize essential security tasks, and develop a comprehensive cybersecurity strategy to increase the security posture of organizations. Panelists included Francesca Spidalieri, senior fellow for cyber leadership at the Pell Center; Maurice Uenuma, senior vice president at the Center for Internet Security; Geoff Hancock, CEO for the Advanced Cybersecurity Group; and Jack Nicholas, director and general counsel at Creative Services Inc.
Panel Discussion: “Cyber Information Sharing”
The speakers discussed how to establish and maintain effective information sharing partnerships to enhance an organization’s situational awareness, acquire the right threat feed from trusted sources and manage an organization’s exposure to intrusions and breaches through comprehensive cybersecurity programs. Panelists included Ellen Giblin, counsel at Locke Lord and Pell Center adjunct fellow; Don Ulsch, PwC managing director and cybercrime expert; and Ken Mortensen, PwC senior managing director and privacy expert.
Seminar: “Keep Your Organization On The Winning Side Of Cybercrime In 2015”
The first workshop for 2015 featured Andy Bonillo, director of cybersecurity and public safety for Verizon, who offered a unique opportunity for participants to hear about the latest cyber threats, vulnerabilities and trends, and what to expect in 2015. He shared with the group of senior executives gathered for the seminar an overview of major cyber-attack patterns and findings from the 2014 Verizon Data Breach Investigation Report – one of the most anticipated annual computer security reports in the field.
Follow-Up Discussion: “Strengthening Rhode Island’S Data Security And Breach Notification Law”
During this follow-up meeting to the September workshop, key stakeholders around the state provided advice and guidance on the changes needed to strengthen the current Rhode Island Data Security and Breach Notification Law. Sen. Lou DiPalma chaired the meeting with representatives of the financial sector, the R.I. Attorney General’s Office, the R.I. Deptartment of Business Regulation, and the R.I. State Police.
Seminar: “Cybersecurity And Your Business: Security Strategies For SMBs”
Frank Motta, executive vice president of CAI Managed IT, discussed cybersecurity issues and business continuity solutions for small and medium-size businesses (SMBs), and in particular, the need for businesses to develop a holistic, company-wide methodology to minimizing their exposure to hackers and cyber criminals. He provided a list of best practices and low or no-cost solutions for SMBs to protect their systems and digital assets, from prevention and mitigation strategies to disaster recovery planning and cyber risk management.
Seminar: “Cybersecurity And Corporate Leadership: Connecting The Server Room And The Board Room”
Steve Katz, the world’s first chief information officer and renowned cybersecurity expert, discussed the need for corporate leaders to be fully informed about how cyber-risk issues are being addressed within their companies, and outlined the skills and knowledge that chief information security officer should have, especially the ability to communicate cybersecurity issues effectively and to build relationships with the C-suite.
Panel Discussion: “Cybersecurity And Cyber Counter Strikes: Concept And Laws”
The event brought together internationally renowned experts and cybersecurity practitioners to discuss numerous key cyber-operation concepts, including the legal implications of active defense, cyber-countermeasures vis-a-vis the Tallinn Manual, and how “privatized cyber counter strikes” may influence the future of cyber deterrence.
The panel included:
- Joe Provost, CEO of SYNCSTATE, a cyber threat security and intelligence analysis company
- Robert Clark, distinguished professor of law at the U.S. Naval Academy’s Center for Cyber Security Studies
- Col. James Bitzes, staff judge advocate for the U.S. Cyber Command
- Michael Schmitt, director of the Stockton Center for the Study of International Law at the U.S. Naval War College and main author of the “Tallinn Manual on the International Law Applicable to Cyber Warfare”
- Karl Wadensten, president of VIBCO, a prominent R.I. manufacturer
The five distinguished panelists explored the timely and controversial issues of commercial hacking and the lack of clearly-defined laws – whether domestic or international – to deter, punish, and/or pursue foreign hackers.
Workshop: “Strengthening Rhode Island’s Data Security And Breach Notification Law”
The invitation-only roundtable discussion brought together key players in the state to review current gaps in Rhode Island’s Data Security and Breach Notification Law, compare the R.I. law with those of other states, and propose methods to strengthen the existing law. The distinguished group of policy makers, state representatives, business leaders and law enforcement officials present at the workshop agreed that an update to the current R.I. notification of breach law is both necessary and urgent in order to raise the cost of data breaches, to better protect customers’ personal information, and to provide companies with incentive to implement better security practices. A list of their recommendations to strengthen the existing law will be published in an upcoming policy memo.
Tabletop Exercise: Rhode Island Corporate Cybersecurity
The first R.I. Corporate Cybersecurity Tabletop Exercise was a cross-industry, discussion-based exercise that provided private sector leaders the opportunity to raise their awareness and develop an understanding of the most pressing cyber threats to their organizations’ networks and sensitive information.
More than 30 industry leaders participated in the exercise demonstrating their commitment to cybersecurity and desire to build upon existing informal relationships to improve the overall security posture of the RI private sector.
Lecture: Why American Corporations Should Care About Cybersecurity
Corporate America is constantly being targeted by cyber-attacks and cyber espionage, and its brand integrity and market advantage are increasingly at stake. Melissa Hathaway discussed several potential targets within our cyberspace—especially private sector networks—common vulnerabilities that allow cyber-attacks to succeed (i.e. poor network security postures or procedures, lack of understanding of the different/layered techniques that are being used to get to us), and what companies can do to better protect themselves.
Workshop: After-Action Report
The After-Action Report Workshop discussed lessons learned from the Corporate Cybersecurity Tabletop Exercise and further steps companies may take to better protect their organizations from cyber threats and vulnerabilities. The workshop built upon the exercise by outlining major strengths and areas of improvement, discussing how organizations currently handle situations similar to the ones simulated in the exercise, and identifying any related best practices.
The comprehensive After Action Report includes the findings and observations of this exercise and offers actionable recommendations to help organizations prioritize their cybersecurity improvement plans and cultivate information-sharing and cooperation activities.
Seminar: Cybersecurity Emerging Trends And Threats For 2014
The seminar introduced participants to the current tactics, techniques, and procedures that malicious actors are deploying against network infrastructure worldwide. Ken Bell, senior cyber intelligence analyst at Raytheon and adjunct fellow at the Pell Center, examined the emerging trends and threats related to cybersecurity for 2014 and discussed proactive measures to help organizations, regardless of their size/industry, better protect their proprietary information and assets from those emerging threats.
Workshop: “But They Said It Was Secure!” Improving Communication Between Senior Leaders And IT
The workshop focused on the often missing link in cybersecurity – plain English communication between IT people and executives, whose responsibility is to protect company assets and reputation. Subject matter experts April Lorenzen and Nat Kopcyk from Dissect Cyber led the workshop and various group exercises and activities on some of the most pressing cybersecurity topics. Participants came away with a better idea of how to infuse a stronger culture of security, proof and transparency into the protection of their organizations’ sensitive information and digital assets.
Panel Discussion: Improving Critical Infrastructure Cybersecurity: The National Cybersecurity Framework And Beyond
The panel discussion explored how Rhode Island organizations charged with providing the state and nation’s financial, energy, health care and other critical systems could use the National Cybersecurity Framework to better protect their information and physical assets from cyber attacks. The panel included Adam Sedgewick, National Institute of Standards and Technology senior information technology policy adviser; Michael Leking, the Department of Homeland Security’s cybersecurity adviser for the Northeast region; and Jamia McDonald, executive director of the state’s Emergency Management Agency. The three distinguished panelists discussed the specifics of the framework and other national and state initiatives to support its implementation. In addition, Sen. Sheldon Whitehouse (D-RI) and Rep. James Langevin (D-RI) delivered keynote speeches and acknowledged the commitment of R.I. leaders to strengthen the state’s cybersecurity posture and of institutions, like the Pell Center, that provide an excellent forum for regional efforts in this field.
Lecture: Cybersecurity and Cyber War: What Everyone Needs to Know
A generation ago, “cyberspace” was just a term from science fiction, used to describe the nascent network of computers linking a few university labs. Today, our entire modern way of life, from communication to commerce to conflict, fundamentally depends on the Internet. And, yet there is perhaps no issue that has grown so important, so quickly, and that touches so many, that remains so poorly understood. Peter Singer discussed how cybersecurity issues affect everyone from politicians, to the military, business executives, lawyers, ethicists, and individuals in general. He presented his latest book “Cybersecurity and Cyber War: What Everyone Needs to Know,” and addressed some of the main questions we all face in everything from our rights and responsibilities as citizens, to how to protect ourselves and our families from a new type of danger.