There is no shortage of publicity around failures in security - constant headlines detailing breaches and vulnerabilities at companies and government agencies. However, what you never hear about are the many organizations who aren't in the news because they have found ways to meet business and mission needs while protecting customer and business data from attackers. There are thousands of security practitioners out there who are quietly succeeding and making breakthroughs in advancing security.
In the fall, SANS solicited nominations from the SANS community for names of individual, teams and groups who implemented security processes or technology in 2013 that resulted in meaningful and measurable advances in security. The criteria for nomination were:
- Must have led the implementation and deployment of security processes or controls in 2013 that either (a) made measurable increases in cybersecurity, or (b) enabled new business initiatives (such as use of BYOD, cloud, Smart Grid, Digital Government, etc.) while maintaining required security levels.
- The deployed solutions must show advances or innovation over common levels of practice.
On Monday 16 December at the SANS Cyber Defense Initiative conference in Washington DC, celebrated the most dedicated and innovative "People Who Made a Difference in Security in 2013." Congratulations to the following people (and teams) for making a real difference in security in 2013!
Erica Borggren, Illinois Department of Veterans' Affairs
Erica Borggren is Director of the Illinois Department of Veterans' Affairs She has provided tireless effort, leadership and expertise to security career training work with Veterans in Illinois. Thanks to Erica, tremendous progress was made in figuring out what works/doesn't work with this constituency.
Todd Boudreau, US ARMY
In late 2007 CW5 Todd Boudreau working in the Office Chief of Signal began redesigning the Army Signal warrant officer structure to follow the Department of Defense Network Operations (NetOps) construct. At that time the occupational classifications (250N, 251A, 254A, and 255Z) had overlap in some areas and gaps in others, specifically computer network defense.
This transformation resulted in the establishment of the Army's Expert Cyberspace Content Technician (255A), the Army's Expert Cyberspace Network Management Technician (255N), the Army's Expert Cyberspace Defense Technician (255S), and the Army's Senior Cyberspace Network Operations Technician (255Z).
Since then, the SIGCoE has graduated over 100 Warrant Officers through this program, who are seen as Army Cyber Warriors and the gold standard for Army Cyber personnel. The SIGCoE is now in the process of jumpstarting the new 26 Charlie Cyber Warrior training for O-grade Officers. The inclusion of the above computer network defense personnel into the network operations (many of which are becoming cyber operations) centers employed from the tactical brigade to the national level will enable a true defense-in-depth required to face adversaries as they attempt to penetrate our networks from outside, from the tactical wireless, and from the insider threats.
Mandy Galante, Red Bank Regional High School
Mandy Galante is a NJ-based high school teacher who inspires her students to build their cyber security skills and compete in various challenges. Her students have done really well in the Cyber Aces OnLine competitions. She even competes alongside them to encourage them.
The Global Industrial Cyber Security Professional (GICSP) Team - Tyler Williams, Auke Huistra, Markus Braendle, Graham Speake, Doug Wylie, Tim Conway and Derek Harp
This team of people drove a collaborative effort with GIAC to develop a unique, practitioner-focused industrial control system security skills certification program - the Global Industrial Controls Systems Practitioner certification. The GICSP is the newest certification in the GIAC family and focuses on the foundational knowledge of securing critical infrastructure assets. The GICSP bridges together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement.
Jeff Hanson, Damascus High School
Jeffrey Hanson is a MD-based high school teacher who provided tremendous input and expertise for refining the Cyber Foundations competitions, which grew into Cyber Aces OnLine.
Federal Trade Commission
The FTC is an independent agency founded way back in 1914. It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and in particular, going after companies that don't protect their customers' information. The FTC doesn't seem to need new laws or more money, it just keeps fighting for its customers.
Major TJ O'Connor, The United States Military Academy at West Point
Maj. O'Connor built a cyber capability in his team that set the standard for his entire organization. He used the existing IA roles in order to have the bodies, and then provided training for them to have a capability way beyond a normal IA type team. He really did create one of the first Cyber Guardian teams, and showed other companies how to do it. He has become the go-to advisor to senior leaders who need help thinking about the skills needed for world class cybersecurity teams.
Mike Qaissaunee, Brookdale Community College
Mike Qaissaunee has been tremendous force in recruiting students, encouraging them as they go through the program, and dealing with a lot of the administrative burden associated with grant applications and fulfillment.
Alex, Ruiz, DHS ICE Social Engineering Training Effort
Alex Ruiz lead the Immigration and Customs Enforcement (ICE) Social Engineering Training (ISET) Program to provide evaluation and improvement of the operational security posture of ICE personnel. The ISET evaluations assist ICE in understanding the exposure to social engineering threat vectors by evaluating ICE personnel's ability to identify a social engineering attack and report the incident once it has been identified. The ISET team developed a multiphase approach to ensure awareness of social engineering, phishing, and the importance of safeguarding Personally Identifiable Information (PII).
Jonathan Trull, State of Colorado, Governor's Office of Information Technology
Jonathan Trull had worked in the Colorado Office of the State Auditor for a decade. As the Deputy State Auditor, he was responsible for overseeing annual audits of the state's systems and kept seeing the same security mistakes uncovered by audits every year.
He took over as Chief Information Security Office for the state of Colorado in 2012, staring with a miniscule budget. He quickly pulled together a cross-industry team and put together the "Secure Colorado" plan that focused on the Critical Security Controls and some early quick wins to drive measurable improvements in the security of the State of Colorado's information systems.
Larry Wilson, University of Massachusetts
Larry Wilson is the CISO of the University of Massachusetts. He was brought in after UMASS had serious data breach. Larry focused on moving UMASS from a compliance-first approach to a security-first approach. He used the Critical Security Controls to focus on preventing attacks and stayed with ISO 27001 for the management controls, driving UMASS to higher levels of security without impacting compliance. Larry has also supported a consortium of New England universities in making similar advances in security.
Melanie Woodruff, Experian
Melanie has spearheaded an ongoing effort to enhance and reinforce the security around Experian's systems and software provided to its customers and clients. Over five years ago, Experian began the initiative to integrate application security into the software development lifecycle. The objective for this new security program was to integrate application security testing into the development process of all applications, worldwide.
Over the past several years the SecureCORE, lead by Melanie program has continued to grow as well as require an increase in funding to now coverall Experian developed products, whether developed for internal use or for a third party, and provide education for a population of around 3,000 development roles across the enterprise. While hard data is not currently available, the company has increased the number of applications scanned as well as the number of developers participating in the program year over year.
Jack Nichelson, GrafTech International - Honorable Mention
Garftech identified that their biggest productive loss was from Java based malware infections. So, by leveraging Microsoft App-V they were able virtualize Java for accessing Java content. They were than able to remove Java from 90% of our workstations and for the remaining 10% that still had a need for Java to run locally they ensured that Java was disabled in the main browser. This lowered our malware infection rate by 60% and lowered the number of systems that required re-imaging by 80%.