.jpg?format=png&auto=webp&height=390&crop=3:1)
Since 2011, SANS has been celebrating those "Difference Makers" whose innovation, skill and hard work have resulted in real increases in information security. There is no shortage of publicity around failures in security - constant headlines detailing breaches and vulnerabilities at companies and government agencies. However, what you never hear about are the many organizations who aren't in the news because their security staff have found ways to meet business and mission needs while protecting customer and business data from attackers. There are thousands of security practitioners out there who are quietly succeeding and making breakthroughs in advancing security.
On Thursday, December 15th at the SANS Cyber Defense Initiative ® Conference in Washington DC, SANS celebrate 2016's "Difference Makers." The 2016 list of cybersecurity Difference Makers include:
Chris Burrows, CISO, Oakland County MI
Chris is
currently the Chief Information Security Officer for Oakland County, MI.
He has CISSP and GICSP certification and have served on international
IT Security Standard Boards. In his first year as CISO, he drove
improvements in basic security hygiene, including elimination of
unneeded administrative privileges and resolving all critical
vulnerabilities within 48 hours. In addition to his CISO duties, Chris
volunteers as a Team Leader in the Michigan Cyber Civilian Corps, which
is a group of experienced cybersecurity experts who individually
volunteer to provide assistance to the state of Michigan in times of
emergency.
Eric Alexander, Senior Network and Security Engineer, BI Inc.
Eric Alexander has been with BI for 7 years and the last 5 years have
expanded Eric's responsibilities as the company has grown from just two
sites to over 90 field offices across the U.S., plus a new data center
build out in Aurora, CO, and the purchase of another company near
Chicago. He has worked diligently to standardize the company on one
brand of firewall, one or two brands of switches, with one brand of AV
and one brand of encryption, simultaneously reduce costs and increasing
security effectiveness. He has CISSP and GIAC certifications. Eric
is leading the roll-out of 2 factor authentication as well as encrypted
data at rest for all Production environments. He has initiated
separation of duties between Developers and Architects and the
Production environment.
A quote from his manager: "Sometimes his dedication to security is a
pain for us to initiate and roll out but in the long term he has made
our environment and systems more secure so we can sleep better at
nights."
Jon Homer, DHS
Jon currently works at DHS on
classified projects, before that he was the head of Security Awareness
for Idaho National Labs. Jon is a major contributor to the Security
Awareness community, continually pushing our community to think and
communicate in new/different ways. He makes organizations rethink how
to truly engage with people and is actively helping others to change
user behavior in ways that lead to measurable increases in security.
John Martin, Boeing
John has been very
outspoken to his vendor community about the need for his company to have
a secure manufacturing process that includes trustable and secure
software coming from suppliers. He is able to take the learnings of a
manufacturer with all the supply chain expertise required and translate
that to the software supply chain to drive increases in application
security vulnerability testing.
Joseph Roundy, Cybersecurity Program Manager, Montgomery College
In May 2014, Joe began modernizing the internet-available
Cybersecurity Lab at Montgomery College. The new lab was functional in
May 2015. Joe has organized and hosted several high school cybersecurity
events including a cyber competition that was developed from NYU Poly.
Joe has taken students to visit cybersecurity businesses and to attend
cybersecurity conferences to further enhance their education and
understanding of the breadth and depth of cybersecurity. He is currently
the Principal Investigator on an NSF Cybercorps Scholarship for Service
award. During this academic year alone, 25 MCPS teachers are using the
Lab for code.org training and curriculum development held on Saturdays.
At the request of students at Poolesville High School, Joe served as a
technical mentor and adviser to four student teams from the high school
who participated in the Air Force Association's CyberPatriot competition
program. One of the Poolesville teams successfully moved through
primary rounds and made it to the final competition, where they placed
third overall. In July, Joe was invited to participate in the White
House Office of Science and Technology Policy Cybersecurity Competitions
Workshop.
Elayne Starkey, CISO, Delaware Department of Technology and Information CSO Team, State of Delaware
In her role as the Chief Information Security Officer of the State of
Delaware, Elayne Starkey has pioneered many initiatives which act as a
template for other state CISOs in securing their environments, with
annual events including a large-scale security conference, an in-depth
cyber security exercise, a disaster recovery exercise, a CISSP bootcamp,
and even an initiative for reaching out to 37,000 grade school students
to improve their security awareness. Elayne is a bridge builder,
pulling together executive-level support from her state's governor and
CIO, state legislators, her technical team, and more, as she strives to
ensure all of these stakeholders have input and buy-in into what becomes
a state-wide plan of action.
Jeff Hobday, Chief, Defensive Cyber Operations Branch, 442d Signal Battalion at Fort Gordon, GA
Jeff Hobday manages multiple Military Occupational Specialty (MOS)
training programs at the Signal School, Fort Gordon. Two of these MOS
programs are cyber security centric and very new to the Army (255S,
25D). He's also integrating cyber into this existing MOS programs. As
uniform leadership changes at Fort Gordon every two years, Jeff is
constantly re-educating his leadership on both the objectives of his
training programs and the demanding cutting-edge curriculum required.
Keeping his programs afloat and current under today's budgetary
constraints is a heroic effort.
Lisa Wiswell, OSD Defense Digital Service; Charley Snyder,
OSD Cyber Policy; Alex Romero, Defense Media Activity - Hack the
Pentagon
Hack the Pentagon, the U.S. Government's first ever
bug bounty, launched on April 18, 2016 and ran for 24 days. Through this
innovative effort, hackers were provided legal consent to use specific
hacking techniques against Department of Defense (DoD) websites,
receiving financial awards for successfully submitting vulnerability
reports. The pilot yielded impressive results, greatly exceeding
expectations. The challenge was hosted by HackerOne, a Silicon Valley-
based firm that offers vulnerability disclosure and bug bounty as a
service.. HackerOne assisted in recruiting 1,410 hackers for the
challenge. Over 250 of them submitted vulnerability reports. Ultimately,
138 reports were deemed valid security vulnerabilities, and 61 hackers
were paid for their efforts. The quantity, quality, and diversity of the
vulnerabilities reported dwarfed previous efforts against the same
assets. The entire cost of the Hack the Pentagon pilot was $150,000,
with about half going to the hackers themselves.
Maj Gen Earl D. Matthews (USAF, Ret), Vice President, Enterprise Security Solutions, HP Enterprise
Under the leadership of Earl Matthews the Cyber Security Intern
Program (CSIP) team developed and delivered a comprehensive, paid
11-week summer cyber security internship to eight students from eight
colleges and universities. The CISP is a public-private partnership to
develop university students into the next generation of cyber security
professionals through education, on-the-job mentoring, and professional
development. Each week, the interns attended a minimum of five hours of
academic lectures in eight core cyber security areas instructed by a
domain expert. They also spent each week in cyber security operational
project internships and worked in teams and with their mentors to solve
open-ended, real-world cyber security challenges. Furthermore, each
intern conducted cyber security research, produced a white paper based
on their dedicated research, and presented their solutions to the VP of
Enterprise Security Solutions. The inaugural CSIP was an overwhelming
success and the intern cohort is expected to double in size for summer
2017!
Joanne McNabb, Director of Privacy Education and Policy in the Office of the California Attorney General
Joanne was instrumental in creating what could be the world's first
minimum standard of information security contained in the 2016
California Data Breach Report, i.e., to implement the Center for
Internet Security's Critical Security Controls. She has a particular
interest in helping SMBs doing business in California improve their
security, and for the week of Sep 27 has organized workshops (featuring
CIS) for multiple city Chambers of Commerce, law firms, and investors.
GySgt Johnathan Norris, JCU Cyber Troop, Ft. Bragg, NC
He is a senior NCO for the CPT that supports JSOC, but what I would
like to recognize him for is the work he is doing at a local high
school, Terry Sanford High School. He is working with the JROTC program
as a mentor to create excitement around cyber and to prepare the
students for future careers. He volunteers his time, and enlists other
mentors from work, to prepare these kids for the future. The school does
not have a cyber curriculum, so he has created a club within the
school. He introduced cyber aces to his students to give them something
to do over the summer and build what they were taught during the season.
The number of students he has participating in Cyber Patriot has
tripled last I heard, with the same base of mentors. We got them use of
an instance of NetWars to help out this past year. He is trying to
prepare them for other events like Mitre Academy. He also works with
local ISSA and AFCEA chapters to garner support for elevating cyber in
the state. One of those unsung heroes that goes the extra mile behind
the scenes.
Lighthouse Award Winner - Howard Schmidt
Howard Schmidt has had a long and distinguished career in cybersecurity, shining a bright light on important security issues in government and private industry for over 40 years. He started his career in the Air Force with both active military service and as a civilian employee. He then spent 15 years in law enforcement, first with the Chandler AZ police department and then the FBI. From 1997 to 2001, Howard was CISO at Microsoft before being appointed by President Bush as vice chair of the President's Critical Infrastructure Protection Board and as the special adviser for cyberspace security for the White House. He retired from government and became CISO at eBay before returning to government service in 2009 as President Obama's Cybersecurity Advisor until 2012.