SANS Difference Makers Awards 2016

The people and organizations who made a difference in security in 2016.

Since 2011, SANS has been celebrating those "Difference Makers" whose innovation, skill and hard work have resulted in real increases in information security. There is no shortage of publicity around failures in security - constant headlines detailing breaches and vulnerabilities at companies and government agencies. However, what you never hear about are the many organizations who aren't in the news because their security staff have found ways to meet business and mission needs while protecting customer and business data from attackers. There are thousands of security practitioners out there who are quietly succeeding and making breakthroughs in advancing security.

On Thursday, December 15th at the SANS Cyber Defense Initiative ® Conference in Washington DC, SANS celebrate 2016's "Difference Makers." The 2016 list of cybersecurity Difference Makers include:

Chris Burrows, CISO, Oakland County MI
Chris is currently the Chief Information Security Officer for Oakland County, MI. He has CISSP and GICSP certification and have served on international IT Security Standard Boards. In his first year as CISO, he drove improvements in basic security hygiene, including elimination of unneeded administrative privileges and resolving all critical vulnerabilities within 48 hours. In addition to his CISO duties, Chris volunteers as a Team Leader in the Michigan Cyber Civilian Corps, which is a group of experienced cybersecurity experts who individually volunteer to provide assistance to the state of Michigan in times of emergency.

Eric Alexander, Senior Network and Security Engineer, BI Inc.
Eric Alexander has been with BI for 7 years and the last 5 years have expanded Eric's responsibilities as the company has grown from just two sites to over 90 field offices across the U.S., plus a new data center build out in Aurora, CO, and the purchase of another company near Chicago. He has worked diligently to standardize the company on one brand of firewall, one or two brands of switches, with one brand of AV and one brand of encryption, simultaneously reduce costs and increasing security effectiveness. He has CISSP and GIAC certifications. Eric is leading the roll-out of 2 factor authentication as well as encrypted data at rest for all Production environments. He has initiated separation of duties between Developers and Architects and the Production environment. A quote from his manager: "Sometimes his dedication to security is a pain for us to initiate and roll out but in the long term he has made our environment and systems more secure so we can sleep better at nights."

Jon Homer, DHS
Jon currently works at DHS on classified projects, before that he was the head of Security Awareness for Idaho National Labs. Jon is a major contributor to the Security Awareness community, continually pushing our community to think and communicate in new/different ways. He makes organizations rethink how to truly engage with people and is actively helping others to change user behavior in ways that lead to measurable increases in security.

John Martin, Boeing
John has been very outspoken to his vendor community about the need for his company to have a secure manufacturing process that includes trustable and secure software coming from suppliers. He is able to take the learnings of a manufacturer with all the supply chain expertise required and translate that to the software supply chain to drive increases in application security vulnerability testing.

Joseph Roundy, Cybersecurity Program Manager, Montgomery College
In May 2014, Joe began modernizing the internet-available Cybersecurity Lab at Montgomery College. The new lab was functional in May 2015. Joe has organized and hosted several high school cybersecurity events including a cyber competition that was developed from NYU Poly. Joe has taken students to visit cybersecurity businesses and to attend cybersecurity conferences to further enhance their education and understanding of the breadth and depth of cybersecurity. He is currently the Principal Investigator on an NSF Cybercorps Scholarship for Service award. During this academic year alone, 25 MCPS teachers are using the Lab for training and curriculum development held on Saturdays. At the request of students at Poolesville High School, Joe served as a technical mentor and adviser to four student teams from the high school who participated in the Air Force Association's CyberPatriot competition program. One of the Poolesville teams successfully moved through primary rounds and made it to the final competition, where they placed third overall. In July, Joe was invited to participate in the White House Office of Science and Technology Policy Cybersecurity Competitions Workshop.

Elayne Starkey, CISO, Delaware Department of Technology and Information CSO Team, State of Delaware
In her role as the Chief Information Security Officer of the State of Delaware, Elayne Starkey has pioneered many initiatives which act as a template for other state CISOs in securing their environments, with annual events including a large-scale security conference, an in-depth cyber security exercise, a disaster recovery exercise, a CISSP bootcamp, and even an initiative for reaching out to 37,000 grade school students to improve their security awareness. Elayne is a bridge builder, pulling together executive-level support from her state's governor and CIO, state legislators, her technical team, and more, as she strives to ensure all of these stakeholders have input and buy-in into what becomes a state-wide plan of action.

Jeff Hobday, Chief, Defensive Cyber Operations Branch, 442d Signal Battalion at Fort Gordon, GA
Jeff Hobday manages multiple Military Occupational Specialty (MOS) training programs at the Signal School, Fort Gordon. Two of these MOS programs are cyber security centric and very new to the Army (255S, 25D). He's also integrating cyber into this existing MOS programs. As uniform leadership changes at Fort Gordon every two years, Jeff is constantly re-educating his leadership on both the objectives of his training programs and the demanding cutting-edge curriculum required. Keeping his programs afloat and current under today's budgetary constraints is a heroic effort.

Lisa Wiswell, OSD Defense Digital Service; Charley Snyder, OSD Cyber Policy; Alex Romero, Defense Media Activity - Hack the Pentagon
Hack the Pentagon, the U.S. Government's first ever bug bounty, launched on April 18, 2016 and ran for 24 days. Through this innovative effort, hackers were provided legal consent to use specific hacking techniques against Department of Defense (DoD) websites, receiving financial awards for successfully submitting vulnerability reports. The pilot yielded impressive results, greatly exceeding expectations. The challenge was hosted by HackerOne, a Silicon Valley- based firm that offers vulnerability disclosure and bug bounty as a service.. HackerOne assisted in recruiting 1,410 hackers for the challenge. Over 250 of them submitted vulnerability reports. Ultimately, 138 reports were deemed valid security vulnerabilities, and 61 hackers were paid for their efforts. The quantity, quality, and diversity of the vulnerabilities reported dwarfed previous efforts against the same assets. The entire cost of the Hack the Pentagon pilot was $150,000, with about half going to the hackers themselves.

Maj Gen Earl D. Matthews (USAF, Ret), Vice President, Enterprise Security Solutions, HP Enterprise
Under the leadership of Earl Matthews the Cyber Security Intern Program (CSIP) team developed and delivered a comprehensive, paid 11-week summer cyber security internship to eight students from eight colleges and universities. The CISP is a public-private partnership to develop university students into the next generation of cyber security professionals through education, on-the-job mentoring, and professional development. Each week, the interns attended a minimum of five hours of academic lectures in eight core cyber security areas instructed by a domain expert. They also spent each week in cyber security operational project internships and worked in teams and with their mentors to solve open-ended, real-world cyber security challenges. Furthermore, each intern conducted cyber security research, produced a white paper based on their dedicated research, and presented their solutions to the VP of Enterprise Security Solutions. The inaugural CSIP was an overwhelming success and the intern cohort is expected to double in size for summer 2017!

Joanne McNabb, Director of Privacy Education and Policy in the Office of the California Attorney General
Joanne was instrumental in creating what could be the world's first minimum standard of information security contained in the 2016 California Data Breach Report, i.e., to implement the Center for Internet Security's Critical Security Controls. She has a particular interest in helping SMBs doing business in California improve their security, and for the week of Sep 27 has organized workshops (featuring CIS) for multiple city Chambers of Commerce, law firms, and investors.

GySgt Johnathan Norris, JCU Cyber Troop, Ft. Bragg, NC
He is a senior NCO for the CPT that supports JSOC, but what I would like to recognize him for is the work he is doing at a local high school, Terry Sanford High School. He is working with the JROTC program as a mentor to create excitement around cyber and to prepare the students for future careers. He volunteers his time, and enlists other mentors from work, to prepare these kids for the future. The school does not have a cyber curriculum, so he has created a club within the school. He introduced cyber aces to his students to give them something to do over the summer and build what they were taught during the season. The number of students he has participating in Cyber Patriot has tripled last I heard, with the same base of mentors. We got them use of an instance of NetWars to help out this past year. He is trying to prepare them for other events like Mitre Academy. He also works with local ISSA and AFCEA chapters to garner support for elevating cyber in the state. One of those unsung heroes that goes the extra mile behind the scenes.

Lighthouse Award Winner - Howard Schmidt

Howard Schmidt has had a long and distinguished career in cybersecurity, shining a bright light on important security issues in government and private industry for over 40 years. He started his career in the Air Force with both active military service and as a civilian employee. He then spent 15 years in law enforcement, first with the Chandler AZ police department and then the FBI. From 1997 to 2001, Howard was CISO at Microsoft before being appointed by President Bush as vice chair of the President's Critical Infrastructure Protection Board and as the special adviser for cyberspace security for the White House. He retired from government and became CISO at eBay before returning to government service in 2009 as President Obama's Cybersecurity Advisor until 2012.