1) Healthcare organizations operate more like independent kingdoms than a unified system, making information security challenges.
2) Building an OSINT and recon program can help address these challenges by replacing constant fear with actionable intelligence from monitoring external sources and reconnaissance within the organization.
3) Such a program aims to make security professionals the first contact for issues, establish trust by listening and following up, and focus on addressing what matters to different groups rather than just senior leadership.
Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...Levi Shapiro
Partnering with Health Systems: Potholes and Pitfalls on the road from Customer to Partner. Presentation by Dr. Ilan Rubinfeld, Associate CMIO, Henry Ford Health System.
The Corporate Ethics CommitteeIn some organizations, ethics is m.docxmehek4
The Corporate Ethics Committee
In some organizations, ethics is managed by a corporate committee staffed by seniorlevel
managers from a variety of functional areas. This committee is set up to provide
ethical oversight and policy guidance for CEO and management decisions.12 It also
represents an affirmation that top management really cares about ethics.
At Lockheed Martin, the Ethics and Business Conduct Steering Committee
meets once every quarter and has done so since 1995. The committee provides the
organization with strategic direction and oversight on matters of ethics and business
conduct. Each business area and business unit has also established a steering committee
to oversee its ethics and business conduct operations. Members of the corporate
committee include the general counsel (committee chairman), executives of large
operating entities, and vice presidents from functional areas such as human resources,
finance, audit, and communications. The two-way communication between the ethics
office and these senior executives is essential. It gives the ethics office information
about what concerns senior-level management, and it gives the firm’s leadership
information about the types of issues that are coming into the ethics office from
employees. The group’s role is viewed as strategic. The steering committees at all
levels of the corporation review the ethics awareness training and business conduct
compliance training programs, metrics on investigations and requests for guidance,
trends, employee survey results, and matters referred by the business areas and business
units.
COMMUNICATING ETHICS
Within the ethics infrastructure, good communication—downward, upward, and two way—
is essential if an organization is to have a strong, aligned ethics culture. The
organization must evaluate the current state of ethics communication and initiatives.
It must communicate its values, standards, and policies in a variety of formal and
informal ways that meet its employees’ needs. These communication efforts should
be synergistic, clear, consistent, and credible. They also need to be executed in a
variety of media, because people learn things in different ways. In general, the old
advice to speechwriters still holds. ‘‘Tell ’em what you’re going to tell ’em, then tell
’em, then tell ’em what you told ’em.’’ In addition to receiving downward communication
from management, employees must also have opportunities to communicate
their ethical concerns upward. Finally, an open communication environment must be
created that says it’s okay to ask questions, and it’s okay to talk about ethics. In the
following section, we begin with some corporate communications basics—principles
that should guide all ethics communication initiatives.
CHAPTER 6 MANAGING ETHICS AND LEGAL COMPLIANCE 215
A number of the ethics officers we interviewed were sensitive to the negativity
sometimes attached to the word ethics. Employees can get defensive when they hear
this word. They ...
Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...Levi Shapiro
Partnering with Health Systems: Potholes and Pitfalls on the road from Customer to Partner. Presentation by Dr. Ilan Rubinfeld, Associate CMIO, Henry Ford Health System.
The Corporate Ethics CommitteeIn some organizations, ethics is m.docxmehek4
The Corporate Ethics Committee
In some organizations, ethics is managed by a corporate committee staffed by seniorlevel
managers from a variety of functional areas. This committee is set up to provide
ethical oversight and policy guidance for CEO and management decisions.12 It also
represents an affirmation that top management really cares about ethics.
At Lockheed Martin, the Ethics and Business Conduct Steering Committee
meets once every quarter and has done so since 1995. The committee provides the
organization with strategic direction and oversight on matters of ethics and business
conduct. Each business area and business unit has also established a steering committee
to oversee its ethics and business conduct operations. Members of the corporate
committee include the general counsel (committee chairman), executives of large
operating entities, and vice presidents from functional areas such as human resources,
finance, audit, and communications. The two-way communication between the ethics
office and these senior executives is essential. It gives the ethics office information
about what concerns senior-level management, and it gives the firm’s leadership
information about the types of issues that are coming into the ethics office from
employees. The group’s role is viewed as strategic. The steering committees at all
levels of the corporation review the ethics awareness training and business conduct
compliance training programs, metrics on investigations and requests for guidance,
trends, employee survey results, and matters referred by the business areas and business
units.
COMMUNICATING ETHICS
Within the ethics infrastructure, good communication—downward, upward, and two way—
is essential if an organization is to have a strong, aligned ethics culture. The
organization must evaluate the current state of ethics communication and initiatives.
It must communicate its values, standards, and policies in a variety of formal and
informal ways that meet its employees’ needs. These communication efforts should
be synergistic, clear, consistent, and credible. They also need to be executed in a
variety of media, because people learn things in different ways. In general, the old
advice to speechwriters still holds. ‘‘Tell ’em what you’re going to tell ’em, then tell
’em, then tell ’em what you told ’em.’’ In addition to receiving downward communication
from management, employees must also have opportunities to communicate
their ethical concerns upward. Finally, an open communication environment must be
created that says it’s okay to ask questions, and it’s okay to talk about ethics. In the
following section, we begin with some corporate communications basics—principles
that should guide all ethics communication initiatives.
CHAPTER 6 MANAGING ETHICS AND LEGAL COMPLIANCE 215
A number of the ethics officers we interviewed were sensitive to the negativity
sometimes attached to the word ethics. Employees can get defensive when they hear
this word. They ...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Case IQ
In today’s “new world of work,” many organizations run on a hybrid model, with some employees working remotely and others in the physical office. While this set-up is convenient, it can cause unique interpersonal issues between employees.
Reduced face-to-face communication makes it harder for teams to bond, while making it easier for harassers to get away with bad behavior. To reduce harassment incidents in your hybrid workplace, you need to foster a culture of openness, willingness to learn, and compassion.
Join workplace investigation and executive management expert Kenneth McCarthy as he outlines how to address and prevent hybrid workplace harassment incidents.
Social Media Policies, Procedures and Governance part 1: EmployeesNikComm Inc.
Social media opens your brand up to risk of reputation damage. You can’t just stick your head in the sand and ignore the risks, and you can’t not participate. What questions do you need to ask your organization to make sure you’re reducing the risk of participation? Do you need a social media policy? How should you deal with issues that arise? How do you make sure your employees aren’t damaging your brand? How do you handle detractors?
In Part 1 of this two-part breakout session offered at the 2015 iMedia Conference we looked at how to reduce risk of damage caused by employees (either inadvertently or on purpose). Learn strategies to develop policies and procedures around getting your governance ducks in a row, and educating and coaching employees to reduce risk to your organization.
Failure to Connect: Why You're Not Getting More From SharePointC5 Insight
Collaboration as we know it has changed dramatically over the years. It wasn't that long ago that we had to make a concerted effort to connect with one another; now that same effort is required to disconnect. So why do organizations continue to struggle to connect with employees, customers and partners?
Collaboration tools and technology are both numerous and sophisticated, but are we really better off? If we have the tools, the technology and the will, then why aren't we doing a better job with collaboration in our organizations?
In this session, we will tackle these questions and more, taking an in-depth look into why collaboration tools such as SharePoint fail to meet our expectations and what organizations can do today to forge new connections, become more productive, increase employee engagement, and build a lasting culture of collaboration.
Safety and Social Media Dia webinar 12 sep2013 Michael Ibara
This is a webinar version of a talk I originally gave at a DIA event in Wash DC. I've used different examples from my original talk but the theme is the same.
Lecture Notes First Hint of Trouble CareNet Systems .docxsmile790243
Lecture Notes:
First Hint of Trouble
CareNet Systems
Internal Memo
Date: October 2005
To: Bill Jenkins, President
From: Mary Jo Larder, Director, Human Resources
As you know I have been having regular meetings with hospital employees in my efforts to implement our quality assurance program. While the purpose of the meetings is educational in nature there is considerable discussion around many issues. Some of the comments concerned me enough to let you know about them.
A number of people said that they believe the management is being hypocritical in trying to implement a QA program when there are so many obvious outstanding problems that could be addressed by management.
1. There are physicians who have acted abusively toward employees and yet nothing appears to have been done to correct this behavior.
2. Management is continually commenting on the financial problems the hospital is having and yet they are building new facilities instead of giving raises.
3. Employees are also concerned about the hiring freeze because many say they can't carry a greater workload. Many are worried about their jobs and said they are looking at other opportunities.
4. Because of the hiring freeze, managers appear to be tolerating sub par performance by some employees for fear of not being able to replace them.
5. Some employees noted that they are sometimes embarrassed to tell friends and neighbors that they work here because the reputation of our emergency room is not good. They commented on the long waits and rude treatment by the staff.
6. A number of people felt that management does not recognize their good performance and hard work.
Mr. Jenkins, I know this is rather stark. I would be pleased to talk with you and provide more insight but I wanted to document what I heard over the past couple of weeks before I forget it.
Think about it
This case study presents a complex situation with different types of problems. Analyze the situation using the questions below before you read further.
· What should Bill Jenkins do with this memo? How important is it?
· Did Mary Larder do the right thing by sending this memo?
· The memo addresses a number of issues. How would you describe each and how important is it? Rank the issues in order of importance.
· How can Jenkins address the issues raised in the memo?
· Is there a process Jenkins should follow in addressing these issues?
· What other information does Jenkins need to respond to the contents of this memo?
· Whom should Jenkins consult, both within the organization and outside it?
· What are Jenkins' options? How would you prioritize them?
· How would you recommend Jenkins evaluate the success or failure of each of the chosen strategies?
· For each strategy, who will perceive they benefited and who will perceive they were hurt or harmed?
· If a strategy is shown to be failing what are the alternatives and exit strategies?
Physician Behavior
Working with a medical staff requires ...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats.
If anything became clear this past year when it comes to cyber security, it’s that no one is immune from a successful attack. While a certain flow of news-making breaches are to be expected, this past year was more of a waterfall than a trickle. In addition to the many retailers that were breached, there was healthcare, eCommerce, government agencies, and well-known tech companies and financial services brands that are household names.
This HP playbook is designed to close the disconnect between how senior leadership at most enterprises are currently prepared to publically respond to a serious data breach and what they actually need to know and have in place to be successful.
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
Cybersecurity is a business critical risk not just an IT issue. The reputational damage of a cyber breach is often less than the technical damage inflicted, the money lost, or the regulatory fines. With new threats proliferating at startling speed how companies respond to an attack can be more important than the attack itself. The good news is that companies can seize this challenge to differentiate themselves from the competition and earn a greater level of trust from stakeholders.
Learn more about the four steps companies can take to build their reputational resilience to cyber attack.
Given the current regulatory environment and the resulting changes going on in the industry today, the chief risk officer has become the most important person in the financial institution.
WolfPAC Solutions Group Director Michael Cohn interviewed chief risk officers at financial institutions across the country to find out how they became a CRO, what skills and experience they bring to the role, and what is expected of them now.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Case IQ
In today’s “new world of work,” many organizations run on a hybrid model, with some employees working remotely and others in the physical office. While this set-up is convenient, it can cause unique interpersonal issues between employees.
Reduced face-to-face communication makes it harder for teams to bond, while making it easier for harassers to get away with bad behavior. To reduce harassment incidents in your hybrid workplace, you need to foster a culture of openness, willingness to learn, and compassion.
Join workplace investigation and executive management expert Kenneth McCarthy as he outlines how to address and prevent hybrid workplace harassment incidents.
Social Media Policies, Procedures and Governance part 1: EmployeesNikComm Inc.
Social media opens your brand up to risk of reputation damage. You can’t just stick your head in the sand and ignore the risks, and you can’t not participate. What questions do you need to ask your organization to make sure you’re reducing the risk of participation? Do you need a social media policy? How should you deal with issues that arise? How do you make sure your employees aren’t damaging your brand? How do you handle detractors?
In Part 1 of this two-part breakout session offered at the 2015 iMedia Conference we looked at how to reduce risk of damage caused by employees (either inadvertently or on purpose). Learn strategies to develop policies and procedures around getting your governance ducks in a row, and educating and coaching employees to reduce risk to your organization.
Failure to Connect: Why You're Not Getting More From SharePointC5 Insight
Collaboration as we know it has changed dramatically over the years. It wasn't that long ago that we had to make a concerted effort to connect with one another; now that same effort is required to disconnect. So why do organizations continue to struggle to connect with employees, customers and partners?
Collaboration tools and technology are both numerous and sophisticated, but are we really better off? If we have the tools, the technology and the will, then why aren't we doing a better job with collaboration in our organizations?
In this session, we will tackle these questions and more, taking an in-depth look into why collaboration tools such as SharePoint fail to meet our expectations and what organizations can do today to forge new connections, become more productive, increase employee engagement, and build a lasting culture of collaboration.
Safety and Social Media Dia webinar 12 sep2013 Michael Ibara
This is a webinar version of a talk I originally gave at a DIA event in Wash DC. I've used different examples from my original talk but the theme is the same.
Lecture Notes First Hint of Trouble CareNet Systems .docxsmile790243
Lecture Notes:
First Hint of Trouble
CareNet Systems
Internal Memo
Date: October 2005
To: Bill Jenkins, President
From: Mary Jo Larder, Director, Human Resources
As you know I have been having regular meetings with hospital employees in my efforts to implement our quality assurance program. While the purpose of the meetings is educational in nature there is considerable discussion around many issues. Some of the comments concerned me enough to let you know about them.
A number of people said that they believe the management is being hypocritical in trying to implement a QA program when there are so many obvious outstanding problems that could be addressed by management.
1. There are physicians who have acted abusively toward employees and yet nothing appears to have been done to correct this behavior.
2. Management is continually commenting on the financial problems the hospital is having and yet they are building new facilities instead of giving raises.
3. Employees are also concerned about the hiring freeze because many say they can't carry a greater workload. Many are worried about their jobs and said they are looking at other opportunities.
4. Because of the hiring freeze, managers appear to be tolerating sub par performance by some employees for fear of not being able to replace them.
5. Some employees noted that they are sometimes embarrassed to tell friends and neighbors that they work here because the reputation of our emergency room is not good. They commented on the long waits and rude treatment by the staff.
6. A number of people felt that management does not recognize their good performance and hard work.
Mr. Jenkins, I know this is rather stark. I would be pleased to talk with you and provide more insight but I wanted to document what I heard over the past couple of weeks before I forget it.
Think about it
This case study presents a complex situation with different types of problems. Analyze the situation using the questions below before you read further.
· What should Bill Jenkins do with this memo? How important is it?
· Did Mary Larder do the right thing by sending this memo?
· The memo addresses a number of issues. How would you describe each and how important is it? Rank the issues in order of importance.
· How can Jenkins address the issues raised in the memo?
· Is there a process Jenkins should follow in addressing these issues?
· What other information does Jenkins need to respond to the contents of this memo?
· Whom should Jenkins consult, both within the organization and outside it?
· What are Jenkins' options? How would you prioritize them?
· How would you recommend Jenkins evaluate the success or failure of each of the chosen strategies?
· For each strategy, who will perceive they benefited and who will perceive they were hurt or harmed?
· If a strategy is shown to be failing what are the alternatives and exit strategies?
Physician Behavior
Working with a medical staff requires ...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
Transcript of a BriefingsDirect podcast on how healthcare provider Lake Health ensures that its internal systems continue to serve patient care, while protecting against outside threats.
If anything became clear this past year when it comes to cyber security, it’s that no one is immune from a successful attack. While a certain flow of news-making breaches are to be expected, this past year was more of a waterfall than a trickle. In addition to the many retailers that were breached, there was healthcare, eCommerce, government agencies, and well-known tech companies and financial services brands that are household names.
This HP playbook is designed to close the disconnect between how senior leadership at most enterprises are currently prepared to publically respond to a serious data breach and what they actually need to know and have in place to be successful.
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
Cybersecurity is a business critical risk not just an IT issue. The reputational damage of a cyber breach is often less than the technical damage inflicted, the money lost, or the regulatory fines. With new threats proliferating at startling speed how companies respond to an attack can be more important than the attack itself. The good news is that companies can seize this challenge to differentiate themselves from the competition and earn a greater level of trust from stakeholders.
Learn more about the four steps companies can take to build their reputational resilience to cyber attack.
Given the current regulatory environment and the resulting changes going on in the industry today, the chief risk officer has become the most important person in the financial institution.
WolfPAC Solutions Group Director Michael Cohn interviewed chief risk officers at financial institutions across the country to find out how they became a CRO, what skills and experience they bring to the role, and what is expected of them now.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
The Art of the Pitch: WordPress Relationships and Sales
OSINT and RECON in Healthcare
1. Building an OSINT and Recon
Program to address Healthcare
Information Security Issues
Mitchell Parker, Exec. Dir., Information Security and
Compliance
2. Purposes of Presentation
2
1. To replace the constant stream of fear, uncertainty, and doubt that is
the main driver behind Healthcare Information Security in many
organizations with actionable intelligence
2. To illustrate how to implement #1
3. Profit!
3. Why am I here?
3
Healthcare organizations are a series of unstructured kingdoms operating
in a loose confederation under one ruler - think Prussian city states before
German Unification:
5. How are they designed?
5
They are designed to operate separately and disjointed
Departments are Kingdoms and Doctors are Rulers
Medical Staffs per hospital are separate
Everyone gets their own budgets
They can separately contract with other institutions for services and are both
profit and cost centers
IT is normally a cost center!
They even get their own vendors
⎻ Golden Rule – he who has the gold makes the rules
Finance and support services are separate and considered drains on profit,
innovation, and productivity
6. Structure
6
They are not used to centralized anything, let alone IT, telling them what
to do and how to operate
The prevailing structure does not lend itself to good communication or
cooperation
If anything, it’s like a series of small companies that work together
sometimes
I’ve had discussions with famous healthcare CIOs that couldn’t tell me
what their privacy teams were doing
This is very common for orgs to be this disjointed
7. Healthcare adopted technology early…
7
And could not get out from under their decisions
You have a significant amount of legacy applications and data
underpinning the business
My favorite examples: Pagers and faxes are still used despite the evident
risks due to high replacement cost
Departments and business units want to remain fiercely independent
Or in the case of some universities, centralization costs more money
than doing it yourself and running your own Shadow IT department
At least one health system has admitted paying for ransomware
because departments didn’t pay for central backup
8. Healthcare Organizations are risk-averse
8
This means that they purposely inhibit change
Technology changes, especially, are put off in favor of workflow and efficiency
It takes going to numerous stakeholders to get a major initiative completed
Rolling out patient privacy monitoring took over 25 meetings spread across
several months and 4 people
Two Factor Authentication took at least 10 meetings and signoff from multiple
leadership teams
⎻ Even though the doctors already had it as part of their university employment
You have to align risks with the rest of the org to get the attention of senior
leadership
9. HIPAA isn’t known well
9
Very few people truly understand the Privacy and Security rules or their
intent
This causes significant fear, uncertainty, and doubt with team members
Especially when disciplinary issues occur because of it!
Very few know what it is or what it means, and even fewer can actually
explain it to someone outside the privacy and security realm
Lack of knowledge is considered to be one of the stumbling blocks
inhibiting better healthcare, ironically
10. Vendor FUD
10
Numerous vendors seize on the financial penalties levied by the Office for
Civil Rights (OCR) to sell software that doesn’t work
They lie about HIPAACompliance and the costs of data breaches
They make grand claims about audit programs and OCR going after
organizations for HIPAA compliance
They promise providers that by buying their programs that they will be
in compliance with the security rule
No, this software really doesn’t work well, and many providers have a
false sense of security
12. What are other complicating factors?
12
Very few people in healthcare have ever had someone sit down and explain it to
them
Risk assessments as inquisitions leave team members are genuinely afraid for their
jobs
13. Let’s Get To Business
13
Now that I’ve painted a picture of how many organizations that provide
medical care are loose confederations, we can get down to business
You cannot effectively have decent security in healthcare without help
To build that help you need to develop OSINT and recon programs that
have more contact than your Information Systems department
14. Our customers are targets
14
Phishing
Business Email Compromise/Targeted social engineering attacks
Malware
Curious onlookers
Ransomware
Robocalls
15. Communication Concerns
15
Corporations, in general, do not handle communications about security well:
Concerns about liability with issuing recommendations for personal lives or
devices
Concerns about taking a stance with divisive social issues
⎻ #MeToo, Gamergate, Social Media
Need to align messaging with corporate values
There’s always a use case that completely challenges training or instructions you
put out
⎻ Remember: Risk Averse! If one use case doesn’t fit it can and will derail you!
It takes a long time to navigate large companies
16. KNOW YOUR STRUCTURE
16
Healthcare is unique with leadership churn at the top
To get promoted or advance, you usually have to move to another organization
⎻ I only ever worked for one CIO that spent more than 10 years in a job
This results in an executive class (Director and up) that routinely changes jobs every
few years
This executive class knows each other very well – many were peers at other
institutions
You normally don’t become a healthcare executive without knowing someone
There is a palpable disconnect between the Senior Leadership Team and
everyone else, no matter what org you work for
17. The Groups That Matter
17
There is also a group that has the team members that have been with the
organization the longest and have the most history
Typically this has the managers and team members as the main members of the
cohort
In my experience, very few people actually work their way up from team member
to executive in a company – they leave beforehand
This is the group you want to be best friends with
18. What we have to account for…
18
There is a disconnect between the executive leadership and team
members that you have to account for
The communication you would expect between them may not be there
There is a lack of knowledge of the whys of issues
There is also a lack of trust between upper management and teams
Governance is therefore difficult
19. How are risk assessments normally completed?
19
Managers are often the ones with the most knowledge, but are not
normally part of the decisioning or risk assessment processes
Enterprise Risk usually includes directors and executives with little
manager input
Information Security RiskAssessments usually have hand-picked team
members that senior leadership and consultants vet
I’ve been in these meetings. This is normal behavior for the C suite
20. We need to start with the basics
20
Know the business well. Interview everyone you can possibly speak to.
People will talk and open up if you actively listen to them
Understand customer needs.
Understand personal concerns of team members
21. The goal: Get people to speak with you first about security issues
21
There are two things you need to do: Listen and follow up consistently
This includes personal security issues
Your credibility is based on the ability to do these two things
You will be viewed as an outsider if you don’t do this
If you pull this off, your customers will tip you off to what is going on
If you don’t, they will ignore issues and perceive the organization as not
caring
22. The truth: Risk assessments don’t capture much and here’s why
22
Many members of upper management view risk assessment results or
audit results as a direct knock on their ability to manage
There are some CIOs and executives that will purposely hide known
issues to look better in front of peers.
I have personally seen a CIO hide evidence of known issues because he
didn’t want the CFO finding out and making him look bad
⎻I later made it my mission to resolve said issues after he retired
23. The truth: Risk assessments don’t capture much and here’s why
23
This means that there are many managers who aren’t telling their Directors or
above what’s really going on because they are afraid for their jobs
There are managers and above that want to look good to make it to the next level,
so they proceed to cover these items up
Little do many of these managers realize that we are wise to their actions
However, this means that when you assess for risk, you’re getting a sanitized
answer
Human nature is security’s worst enemy
They make themselves look good, and hand pick people to answer
⎻ This eventually gets found out and it’s not good!
24. Who do you make friends with?
24
SimonTravaglia had it right with the BOFH. Make friends with the
cleaning staff, facilities, and security.
The PCTechs are your best friends for finding out what is really going on.
The actual application administrators are also your friends
You also should know every Administrative Assistant in the organization
Remember where the swag goes!
If you are a provider, Nursing and the Call Center Admin staff are also your
best friends
25. Be your own PR Firm
25
No one knows who you are if you don’t advertise
You need to get out there and speak at conferences, do webinars, and
publish articles
Your customers read them and will follow you on social media
People will come up to you, especially over yourTwitter feed
You need to constantly publish and present internally for people for
outreach
Otherwise, you’re going to be sitting in a corner with no customers
26. SENIOR LEADERSHIP
26
Senior leadership is more apt to listen to analysts, the Big 4, or their peers
than their own teams
Hence the “I met this person at a CIO or IT Executive conference who
can solve all our problems” meetings
If you’re delivering the message at the conferences, you’re more
credible
Senior Leadership listens when you publish and can be cited
⎻Not in some vendor-sponsored mag they ignore
They also listen when you work with standards bodies
⎻Especially IEEE, NIST,ANSI, or ISO
27. Be your own publisher
27
Don’t let the perception of security for your customers be that from the
major analyst firms, Big 4 consultants, or scary ads from vendors
They don’t have boots on the ground or get it
Witness the large number talking about emerging tech without
discussing the new classes of risks (Blockchain anyone?)
Get the word out on what is really going on to your customers directly
Get onto the good threat intel lists such as REN-ISAC, H-ISAC, and the
FBI’s alerts and distill the word out to your friends
28. Be your own Publisher
28
Avoid the circumspect march toward yet another unneeded high priced
technical solution with a smiling face and get people to something they
can actually use that produces results
“Tell me what I need to do” – Former CIO I worked for in a leadership
meeting
Focus on distilling news and OSINT into actionable operational knowledge
Follow up with customers to make sure they understand
Be their guide and they will be yours
OSINT is nothing without action and it becomes less than intelligence
29. What are the end goals?
29
OSINT –You take the knowledge that’s out there and adapt it for the
people in the organization that will use it for more than PowerPoint fodder
OSINT –You replace the constant stream of FUD with real applicable
information, not what the latest buzzword of the week is that someone
wants to sell you or scare senior leadership with
30. What are the end goals?
30
RECON –You get people across the organization feeding you information
you can use to better secure it
RECON –You reduce risk by addressing what the team finds important,
not what’s distilled up to senior management to make aspirational
managers look good
31. How do I follow up?
31
I will be around to answer questions
Follow or DM me onTwitter at @mitchparkerciso
Follow or connect on LinkedIn:
https://www.linkedin.com/in/mitchparkerciso/
View my blog at: https://www.csoonline.com/blog/security-from-the-
upside-down/