Ponemon Institute
Sign Up for the Ponemon News Feed for special reports and important updates regarding privacy and security

News & Updates

Ponemon Institute is pleased to announce the release of Flipping the Economics of Attacks, sponsored by Palo Alto Networks. In this study, we look at the relationships between the time spent and compensation of today’s adversaries and how organizations can thwart attacks. As revealed in this research, while some attackers may be motivated by non-pecuniary reasons, such as those that are geopolitical or reputational, an average of 69 percent of respondents say they are in it for the money.


Ponemon Institute Fellows: S-T-U

< Back to Ponemon Fellows

Greg Schaffer

Greg Schaffer is CEO and Founder of First72 Cyber, a cyber security firm created to help enterprises prepare for, respond to and manage the risk of cyber events, with a special focus on the rapidly emerging area of third-­â€party risk.  He is responsible for all aspects of the enterprise’s development and execution including product development, infrastructure build, service delivery, quality assurance and partnerships.  

Greg Schaffer is also Chief Security Strategist for the Circumference Group, an investing team with deep experience in operations, business development, software development, mergers and acquisitions, asset acquisitions, business integration, investment banking, and public and private investing.

Prior to joining Circumference in December 2013, Schaffer served as chief information security officer (CISO) for Fidelity National Information Services, Inc. (FIS) the world’s largest global provider dedicated to banking and payments technologies.  In this role, Schaffer had enterprise-­â€wide oversight of FIS’ information security program, functions and initiatives.

Prior to joining FIS, Schaffer worked for the U.S. Department of Homeland Security, where he served as acting deputy under secretary for the National Protection and Programs Directorate (NPPD) and assistant secretary for Cybersecurity and Communications.

Prior to the Department of Homeland Security, Schaffer developed and implemented an enterprise security and compliance operation for Alltel Communications, serving as its CISO, chief security officer and chief risk officer, as well as establishing its Office of Privacy.

Schaffer holds a juris doctor (JD) degree from the University of Southern California Law Center. He is a member of the District of Columbia Bar and practiced law for over 10 years, including a position as a trial attorney for the U.S. Department of Justice, Criminal Division, Computer Crime and Intellectual Property Section.

In addition to his JD degree, Schaffer also holds a bachelor’s degree in political communications from George Washington University, Washington, D.C.

Howard A. Schmidt

Mr. Howard A. Schmidt is president and CEO of R & H Security Consulting, LLC.

He served as vice president and chief information security officer and chief security strategist for eBay. Most recently, Schmidt was chief security strategist for the U.S. CERT Partners Program for the National Cyber Security Division in the Department of Homeland Security.

He retired from the White House after 31 years of public service in local and federal governments, including the Air Force Office of Special Investigations and the FBI National Drug Intelligence Center. He was appointed by President Bush as the vice chair (later becoming chair) of the President's Critical Infrastructure Protection Board and as the special adviser for Cyberspace Security for the White House. Prior to the White House, Schmidt was chief security officer for Microsoft.

Schmidt is the international president of the Information Systems Security Association and was the first president of the Information Technology Information Sharing and Analysis Center. Schmidt has been appointed to the Information Security Privacy Advisory Board to advise the National Institute of Standards and Technology, the secretary of Commerce and the director of the Office of Management and Budget on information security and privacy issues.

Winn Schwartau

Winn Schwartau is one of the world's top experts on security, privacy, infowar, cyber-terrorism and related topics. He coined the terms Electronic Pearl Harbor while trstifying before Congress in 1991. Winn Schwartau thinks asymmetrically and has been “Security” for 30 years. If you want originality in thought, writing, presentations or any aspect of Security, call Winn. In addition to being called, “The Civilian Architect of Information Warfare,” he is one of the country's most sought after experts on information security, infrastructure protection and electronic privacy.

Provocative, informed, challenging, he's on the leading edge of thinking, writing and speaking. Highly technical security subjects are made understandable, entertaining, engaging and thought-provoking. Audiences find themselves challenged with original ideas which are related through historical analogy and metaphor and made relevant to the present and future world.

He was named one of the Top-20 security industry pioneers by SC Magazine, one of the Top 25 Most Influential People for 2008 by Security Magazine, one of the Top 5 Security Thinkers for 2007 by SC Magazine and In 2002, honored as a “Power Thinker” and one of the 50 most powerful people by Network World.

A prolific writer, his seminal works on Information Warfare in the late 80s and 90s defined cyber conflict. His novel, Pearl Harbor Dot Com begat Die Hard IV and more than 3,000 articles and speeches later, Winn is still the ‘go to guy’ when people want straight shooting, no-BS originality, interpretation and prognostication. His predictions began in 1988 and have been alarmingly accurate. “I would rather people listened and acted then be right.” 

Amichai Shulman

Amichai Shulman is Co-Founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva's internationally recognized research organization focused on security and compliance. Mr. Shulman regularly lectures at trade conferences such as RSA and Infosec and delivers monthly eSeminars. He is also tutoring undergraduate students in Information Security projects in the Technicon, Israel's leading academic institute.

The press draws on Mr. Shulman's expertise to comment on breaking news, including security breaches, mitigation techniques and related technologies. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial Web application and database products, including Oracle, IBM and Microsoft.

Prior to Imperva, Mr. Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including Web and database penetration testing and security strategy, design and implementation.

Mr. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has a B.Sc and Master Degree in Computer Science from the Technion, Israel Institute of Technology.

Al Silipigni

Al Silipigni leads the privacy function at HSBC – one of the largest banking and financial services organization in the world.  Mr. Silipigni leads the strategic direction for privacy risk consistent with HSBC’s corporate objectives and risk appetite promoting a strong culture and commitment to customer and employee privacy.  Mr. Silipigni believes that privacy is both a regulatory and operational risk - and when done right is a driver of innovation, best in class economics and customer loyalty. Furthermore, it is the consistent execution of core privacy principles that drives trust with regulators, employees and customers – a goal for any Privacy Practitioner.

Prior to HSBC, Mr. Silipigni held positions of increasing responsibility at the American Express Company culminating as Chief Privacy Officer. Consumer research named American Express “the most trusted company for customer privacy” during his tenure.

Prior to American Express, Mr. Silipigni was vice president strategic marketing at JPMorganChase with a focus on introducing new products and services.  He was Senior Engagement Leader at Cap Gemini/Ernst & Young where his focus was on embedding emerging technology into the core business practices of established companies.  As vice president/client partner for interactive digital marketing within the Omnicom Group – his focus was on translating offline brands into the online space.

Mr. Silipigni is a long term member of the Responsible Information Management Council of the Ponemon Institute.  Mr. Silipigni is a founding member of The Future of Privacy Forum Advisory Board (FPF).  FPF is a Washington, DC based think tank seeking to advance responsible data practices.   Mr. Silipigni sits on the Education Advisory Board of the IAPP and was elected to chair the 2013 IAPP Practical Privacy Series for Financial Services in NYC.  Mr. Silipigni is an elected member of the Regulatory Steering Committee of BITS of the Financial Services Roundtable.

In 2013, Mr. Silipigni was recognized as a Privacy by Design (PbD) Ambassador for his commitment and advocacy for the protection of personal information.

Mr. Silipigni recently published his first book “Practioner’s Guide to Financial Institution Privacy” on operationalizing privacy.  Published by Thomson Reuters, the book is co-authored by Mr. Andrew Serwin, of Morrison and Foerster.

Mr. Silipigni is a Certified Information Privacy Profession with the IAPP. He has an MBA from the NYU Stern School of Business and BS from Lehigh University.

Daniel Solove

Daniel Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School. He began teaching law at Seton Hall Law School in 2000. He joined the George Washington University Law School faculty in 2004.

Professor Solove writes in the areas of information privacy law, cyberspace law, law and literature, jurisprudence, legal pragmatism and constitutional theory. He teaches information privacy law, criminal procedure, criminal law and law and literature.

An internationally known expert in privacy law, Professor Solove has been interviewed and quoted by the media in several hundred articles and broadcasts, including the New York Times, Washington Post, Wall Street Journal, USA Today, Chicago Tribune, the Associated Press, ABC, CBS, NBC, CNN and NPR.

Professor Solove has consulted in high-profile privacy law cases, contributed to amicus briefs before the US Supreme Court and testified before Congress. He serves on the advisory boards of the Electronic Frontier Foundation and the Future of Privacy Forum and he is on the board of the Law and Humanities Institute. Professor Solove blogs at Concurring Opinions, which covers issues of law, culture and current events. ABA Journal selected it as among the 100 best law blogs.

Francesca Spidalieri 

Francesca Spidalieri is the Senior Fellow for Cyber Leadership at the Pell Center for International Relations and Public Policy at Salve Regina University, where she leads the Cyber Leadership Project and the Rhode Island Corporate Cybersecurity Initiative. Her academic research and publications have focused on cyber leadership development, cyber education and awareness, cybersecurity workforce management, and the professionalization of the cybersecurity industry. She regularly speaks at cyber-related events nationwide and lectures on cybersecurity issues at Salve Regina University and other local organizations. Francesca is also part of a team at the Potomac Institute for Policy Studies developing a Cyber Readiness Index, a unique methodology to evaluate countries’ maturity and commitment to cybersecurity. In addition, Francesca serves as subject-matter expert on the Center for Internet Security’s Roles & Controls Panel developing an Executive Guide to a Cyber-Secure Workforce, and was recently appointed by Governor Gina Raimondo to the first-ever Rhode Island Cybersecurity Commission.

She holds a B.A. in Political Science and International Relations from the University of Milan, Italy; an M.A. in International Affairs and Security Studies from the Fletcher School at Tufts University; and has completed additional coursework in cybersecurity at the U.S. Naval War College's Center for Cyber Conflict Studies.

S. Srinivasan

S. Srinivasan (nickname Srini) joined TSU on August 1, 2013 as Associate Dean for Academic Affairs and Research as well as a Distinguished Professor of Business Administration. Prior to coming to TSU, I was the Chairman of the Division of International Business and Technology Studies at Texas A & M International University's A.R. Sanchez School of Business in Laredo, TX. I was there from 2010 to 2013. Before coming to Laredo, I spent 23 years at the University of Louisville (UofL) in Louisville, Kentucky. At UofL I held joint appointments in the Computer Information Systems Department in the College of Business and the Computer Science Department in the Speed School of Engineering. During my time there I started the Information Security Program as a collaborative effort of multiple colleges. I was Director of the InfoSec program until 2010 when I left for Laredo. The program was designated a National Center of Academic Excellence in Information Education by the National Security Agency (NSA) and the Department of Homeland Security (DHS).

I successfully wrote several grant proposals in support of the InfoSec Program. My first book on Cloud Computing titled “Security, Trust, and Regulatory Aspects of Cloud Computing in Business Environments” was published in March 2014 by IGI Global, Hershey, PA. The second book on Cloud Computing titled “Cloud Computing Basics” was published in May 2014 by Springer, NY. My area of research is Information Security. I am now working on a new project on Big Data Analytics. I have taught the Management of Information Systems course at the MBA level in US as well as in our international programs in El Salvador and Greece. I have spent my sabbatical leaves from UofL in Siemens at their R & D facility in Munich, Germany; UPS Air Group in Louisville, KY; and GE Appliance Park in Louisville, KY. Besides these industry experiences, I have done consulting work with US Army, IBM and a major hospital company in Louisville, KY.

Anish Srivastava 

Anish Srivastava is the CEO and President of TUV Rheinland OpenSky, a wholly owned subsidiary of TUV Rheinland Group. He also serves as a member of the Board of Directors for TUV Rheinland OpenSky.

Anish has more than 20 years of experience leading, innovating and scaling cybersecurity businesses globally. Throughout his career, he advised a number of global clients in addressing complex, large-scale transformation challenges around information and IT security.

Prior to joining TUV Rheinland OpenSky, Anish held several leadership and executive positions at IBM, most recently as Managing Partner and Practice Leader of the North America IBM Security Services Business Unit. Earlier, he held a similar role in the Asia-Pacific region. Before joining IBM, he was with Tata Consultancy Services, leading the Information Risk Management consulting and services business for the North America region, driving sales and delivery targets for the company. Anish holds both an MBA and a Bachelor in Computer Science from the University of Pune.

Peter Stephenson

Dr. Peter Stephenson is the Associate Director of the Department of Computing in the School of Business and Management at Norwich University. He teaches in the areas of cyber attack/defend, digital forensics and digital investigation.  He was awarded the Distinguished Faculty honor in the College of Graduate and Continuing Studies and is the Chief Information Security Officer for the university.

Dr. Stephenson has over 50 years’ experience in various technology and information assurance fields and has written or contributed to 18 books, including his Investigating Computer Related Crime (CRC Press – now in its second edition) and several hundred articles in major national and international trade publications and technical/scientific journals.

Dr. Stephenson’s current research is on hybrid crime assessment. He holds the CCFP, CISSP, CISM and FICAF designations, is a licensed professional investigator (Michigan) and is a member of the American Academy of Forensic Sciences and the Vidocq Society.

Patrick Sullivan

Patrick F. Sullivan, Ph.D., Dr. Sullivan has over twenty years experience in helping organizations develop and implement information security and privacy risk management and compliance programs. He specializes in a standards-based approach, and is an expert in implementing and auditing ISO 27001 Information Security Management Systems, and ISO 20000 IT Service Management Systems. His clients have included Fortune 500 companies in financial services, travel, telecommunications, information management, and the pharmaceutical industry. He has also worked with international data protection authorities in Hong Kong and Canada, and with U.S. Federal agencies.

Dr. Sullivan holds a Ph.D. in Philosophy from the University of Kentucky, and M.A. and B.A. degrees in Philosophy from respectively, Southern Illinois University, Carbondale, and Indiana University, Indianapolis (IUPUI). His early career in academic teaching and research led to a focus on ethical issues surrounding information technologies and the practical problems organizations face in managing the balance between protecting critical information assets and using those assets to achieve business goals. This lead to a career transition helping organizations solve those problems with effective information governance, risk management and compliance strategies.

Dr. Sullivan currently is a Principal Consultant with JBW Group International, Inc. Prior to joining JBW Group he was with Synomos, Inc, Guardent, Inc, PricewaterhouseCoopers LLP, and was the founding executive director of the Washington D.C. based Computer Ethics Institute. He is a current board member and past chair of the Indiana Security and Privacy Network (InSPN).

Lee Sustar

Lee Sustar is a journalist and information technology researcher. As a reporter, Lee has covered a range of issues, including PCI-DSS, IoT security, cyber risk models, cloud security, state, federal and non-U.S. legislation on data breach reporting, consumer privacy, advanced persistent threats, cyber armies, application security, threat intelligence, SIEM technology, BYOD security, incident response, Apple/iOS security, young hackers, insider threats and legal liability in breaches. He has also served as a technical writer for such companies as Microsoft, IBM, Cisco, AT&T, Oracle and Dell.

Lee's research, reports and investigations, undertaken through academia and nonprofit organizations—in the U.S., Russia, Latin America and Africa—concentrate on the changing world economy and its impact on technological innovation, the workplace, education, public health and the environment. He is also a frequent public speaker on economic, political and international affairs.

Dan Swartwood

Dan Swartwood is currently the Information Security Governance Leader for Mars, Inc. Prior to this he was the Director, Information Safeguarding,for the Walt Disney Company. Dan has focused his career on data protection, privacy and intellectual property protection issues.

Prior to Disney, Dan provided leadership to all aspects of Motorola's global Data Protection efforts as the Deputy CISO. Before Motorola, he was the Data Privacy Officer at HP and the first ever Corporate Privacy Manager at Compaq Computer. While at Compaq, he also served as the Corporate Information Security Manager.  Prior to Compaq and after retiring as an US Army Counterintelligence Officer, Dan participated in an independent review of the White House security program at the request of the Director US Secret Service.

For the last seven years, Dan has served as the Vice President of the Society for the Policing of Cyber Space ( POLCYB is the leading international non-profit organization helping third world countries in developing infrastructure to deal with the growing threat from cyber crime.  He has lead efforts to create a global cyber crime survey targeted at international  law enforcement, prosecutorial and judicial officials to better understand the challenges they face dealing with international cyber crime. He has also lead an effort to create a certificate program to help train the same groups in managing the international aspects of cyber crime enforcement.  

He was the first and only Chairperson of the International Association of Privacy Professionals Certification Panel, which created the first privacy certification program. Dan is one of the original Certified Information Privacy Professionals. In Oct 2007, He was identified as one of the top 25 privacy professionals in America. He is the co-author of five bi-annual proprietary information loss surveys sponsored by the American Society for Industrial Security, International, and has authored articles and speaks at national and international conferences. He holds a Master of Science degree in Strategic Intelligence from the US Defense Intelligence College.

Mohan Tanniru

Dr. Mohan Tanniru is the Professor of MIS in the Decision and Information Science Department of the School of Business Administration at Oakland University and a senior investigator at Henry Ford Health System. He has taught at the University of Arizona, Syracuse University, and University of Wisconsin-Madison, and was the former Dean of the School of Business and the founding director of Applied Technology of Business Program at Oakland University, and the Dept. Head of MIS at University of Arizona.

Mohan has published extensively in the Information technology research for the last 30 years in areas such as IT strategy, knowledge base/expert systems, decision support and business analytics, and health care delivery management. His work has appeared in journals such as ISR, MIS Quarterly, Decision Sciences, DSS, JMIS, IEEE Transactions in Eng. Management, Expert Systems and Applications, Information and Management and Communications of ACM. He has coordinated numerous graduate and under-graduate projects with over 60 large companies including GM, Chrysler, EDS/HP. Lear, Comerica, Carrier-UTC, MONY, Bristol Myers Squibb, Honeywell, Intel, and Raytheon, and several health care organizations such as Kaiser Permanente, Beaumont Health Systems, St Joseph Mercy-Oakland among others. 

Timothy R. Thatcher

Timothy R. Thatcher has over 25 years of cumulative operations, risk management and leadership experience in a variety of fields to include Healthcare, Biotechnology, Banking, Telecommunications, Human Resources and Information Security and currently serves in an Information Security Advisory capacity with USAA, a Texas-based Fortune 500 diversified financial services group of companies, that serve, or served, in the United States military. 
In addition to a Master’s in Business Administration and BBA in Organizational Psychology, Timothy is certified in Lean Six Sigma methodology and has held senior positions at organizations such as Bank of America, HCL, Wells Fargo, QVC and Grifols to name a few. Timothy has been recognized for his many contributions in Innovation, Process Improvement Excellence and Community Involvement.
Key accomplishments include:

  • Co-founded successful medical services company and sold it to a major healthcare corporation.
  • Created and rolled out Timeline Management procedures, processes and performance metrics that resulted in an estimated net savings of $1M per month for Bank of America’s Bankruptcy portfolio. 
  • Re-engineered enterprise level communications services for USAA resulting in an overall increase in member satisfaction and estimated 15% decrease in associated operational cost.
  • Oversight of Production Support, Business Quality Assurance, Logistics, Testing and Change Management of USAA’s loan origination system resulting in increased efficacy and compliance with new, changing regulations. 
  • Retrained staff, reorganized facility and re-engineered bio-manufacturing process of Grifols resulting in zero observations in FDA 483 inspection while increasing donor volume (now the 10th largest producing plasma facility in the nation). 

Timothy is currently pursuing a law degree with a focus on Cybersecurity and is a member of Information Systems Security Association (ISAA), an international professional association focused on information security, risk management and governance.

Patricia Titus

Patricia Titus is the Chief Information Security Officer at Markel Corporation located in Richmond, VA.  She will continue serving on the Board of Advisors for Guardant Global a worldwide services company. She is a Distinguished Fellow at the Ponemon Institute and serves on the Visual Privacy Advisory Council focusing on Visual Hacking issues.

Ms. Titus was the Vice President and Chief Information Security Officer at Freddie Mac, Symantec, Unisys Corporation and the Transportation Security Administration within the Department of Homeland Security. She was focused on transforming, implementing and maintaining robust IT security programs.

Ms. Titus also worked overseas for several years in various positions within the U.S. Department of Defense, the U.S. State Department and various private sector firms. She has more than 20 years of security management experience. Ms. Titus is on the Board of Advisors for the Executive Women's forum and was recognized as a 'Woman of Influence' by the Executive Women’s Forum in 2009 and the Silicon Valley Business Journal in 2013. She serves on the Executive Women’s Advisory Board for the Girl Scouts Council of the Nation’s Capital.

MacDonnell Ulsch

Don has more than 30 years of experience in the fields of forensic investigations, cybercrime, national security and information security management. He is in the US Cybercrime & Breach Response practice.  Working with many of the most established and well known corporate brands, as well as law enforcement and the intelligence community, he has led many cyber breach investigations and advised executive management on breach management strategy and mitigation execution.  Don’s cyber breach investigative work has been across multiple industries, from financial services and defense, to retail, manufacturing and healthcare.  These cyber breach cases included the compromise of regulated personal information, as well as intellectual property and trade secret theft and fraud.

Prior to joining PwC, Don was the CEO and Chief Risk Analyst at ZeroPoint Risk Research LLC, a company he founded in 2009.  He also served in executive security positions at Dun & Bradstreet/Dataquest, Gartner and Jefferson Wells.  He was Trusted Advisor to the US Secrecy Commission, also known as the Moynihan Commission on Protecting and Reducing Government Secrecy, created under Title IX of the Foreign Relations Authorization Act.  For more than a decade he worked with the National Security Institute and remains an advisory board member there.

He has been an adjunct lecturer at Boston University and a guest lecturer at the Carroll School of Management at Boston College in the International MBA program.   In 2013 he was appointed to the Tech Target Security Media Advisory Board.

A frequent speaker at US domestic and international industry events sponsored by the Institute of Internal Auditors, he has appeared on Fox News as a cybercrime and breach analyst and on other television and radio programs. Cited in books, and academic and military studies on cybersecurity, Don is the author of many articles on the subject and two books: Threat! Managing Risk in a Hostile World (The IIA Research Foundation, July 2008) and CyberThreat! How to Manage the Growing Risk of Cyber Attacks (John Wiley & Sons, July 2014).