SANS Announces Winners of the 2016 Difference Makers Award

Bethesda, Md. – SANS Institute is pleased to announce the winners of the SANS 2016 Difference Makers Award which celebrates those individuals whose innovation, skill and hard work have resulted in real increases in information security. While there is no shortage of publicity around failures in security, there are many organizations who aren't in the news because their security staff have found ways to meet business needs and protect customer and business data from attackers. The SANS Difference Makers Award was formed to honor these individuals who are quietly succeeding and making breakthroughs in advancing security.

On Thursday, December 15th at the SANS Cyber Defense Initiative ® Training Event in Washington DC, SANS will celebrate 2016's "Difference Makers." The 2016 list of cybersecurity Difference Makers include:

Chris Burrows, CISO Oakland County MI - In his first year as CISO, Burrows drove improvements in basic security hygiene, including elimination of unneeded administrative privileges and resolving all critical vulnerabilities within 48 hours. In addition to his CISO duties, he volunteers as a Team Leader in the Michigan Cyber Civilian Corps, which is a group of experienced cybersecurity experts who individually volunteer to provide assistance to the state of Michigan in times of emergency. Burrows has CISSP and GICSP certification and has served on international IT Security Standard Boards.

Eric Alexander, Senior Network and Security Engineer, BI Inc. - Alexander has been with BI for 7 years. During the last 5 years his responsibilities have expanded as the company has grown from just two sites to over 90 field offices across the U.S., a new data center in Aurora, CO, and the purchase of another company near Chicago. He has worked diligently to standardize the company on one brand of firewall, one or two brands of switches, with one brand of AV and one brand of encryption, simultaneously reduce costs and increasing security effectiveness. Alexander is leading the roll-out of 2 factor authentication as well as encrypted data at rest for all production environments. He has initiated separation of duties between developers and architects and the production environment.

Jon Homer, DHS - Homer currently works at DHS on classified projects, before that he was the head of Security Awareness for Idaho National Labs. He is a major contributor to the Security Awareness community, continually pushing the community to think and communicate in new/different ways. He makes organizations rethink how to truly engage with people and is actively helping others to change user behavior in ways that lead to measurable increases in security.

John Martin, Boeing - Martin has been very outspoken to his vendor community about the need for his company to have a secure manufacturing process that includes trustable and secure software coming from suppliers. He is able to take the learnings of a manufacturer with all the supply chain expertise required and translate that to the software supply chain to drive increases in application security vulnerability testing.

Joseph Roundy, Cybersecurity Program Manager, Montgomery College - In May 2014, Roundy began modernizing the internet-available Cybersecurity Lab at Montgomery College. The new lab was functional in May 2015. He has organized and hosted several high school cybersecurity events including a cyber competition that was developed from NYU Poly. Roundy has taken students to visit cybersecurity businesses and to attend cybersecurity conferences to further enhance their education and understanding of the breadth and depth of cybersecurity. He is currently the Principal Investigator on an NSF Cybercorps Scholarship for Service award. During this academic year alone, 25 MCPS teachers are using the Lab for training and curriculum development held on Saturdays.

Elayne Starkey, CISO, State of Delaware - Starkey has pioneered many initiatives which act as a template for other state CISOs in securing their environments, with annual events including a large-scale security conference, an in-depth cyber security exercise, a disaster recovery exercise, a CISSP bootcamp, and even an initiative for reaching out to 37,000 grade school students to improve their security awareness. She is a bridge builder, pulling together executive-level support from her state's governor and CIO, state legislators, her technical team, and more, as she strives to ensure all stakeholders have input and buy-in into what becomes a state-wide plan of action.

Jeff Hobday, Chief, Defensive Cyber Operations Branch, 442d Signal Battalion at Fort Gordon, GA - Hobday manages multiple Military Occupational Specialty (MOS) training programs at the Signal School, Fort Gordon. Two of these MOS programs are cyber security centric and very new to the Army (255S, 25D). He's also integrating cyber into this existing MOS programs. As uniform leadership changes at Fort Gordon every two years, he is constantly re-educating his leadership on both the objectives of his training programs and the demanding cutting-edge curriculum required. Keeping his programs afloat and current under today's budgetary constraints is a heroic effort.

Lisa Wiswell, OSD Defense Digital Service; Charley Snyder, OSD Cyber Policy; Alex Romero, Defense Media Activity: Hack the Pentagon - Hack the Pentagon, the U.S. Government's first ever bug bounty, launched on April 18, 2016 and ran for 24 days. Through this innovative effort, hackers were provided legal consent to use specific hacking techniques against Department of Defense (DoD) websites, receiving financial awards for successfully submitting vulnerability reports. The pilot yielded impressive results, greatly exceeding expectations. The challenge was hosted by HackerOne, a Silicon Valley- based firm that offers vulnerability disclosure and bug bounty as a service. HackerOne assisted in recruiting 1,410 hackers for the challenge. Over 250 of them submitted vulnerability reports. Ultimately, 138 reports were deemed valid security vulnerabilities, and 61 hackers were paid for their efforts. The quantity, quality, and diversity of the vulnerabilities reported dwarfed previous efforts against the same assets. The entire cost of the Hack the Pentagon pilot was $150,000, with about half going to the hackers themselves.

Maj Gen Earl D. Matthews (USAF, Ret), Vice President, Enterprise Security Solutions, HP Enterprise - Under the leadership of Maj Matthews the Cyber Security Intern Program (CSIP) team developed and delivered a comprehensive, paid 11-week summer cyber security internship to eight students from eight colleges and universities. The CISP is a public-private partnership to develop university students into the next generation of cyber security professionals through education, on-the-job mentoring, and professional development. Each week, the interns attended a minimum of five hours of academic lectures in eight core cyber security areas instructed by a domain expert. The inaugural CSIP was an overwhelming success and the intern cohort is expected to double in size for summer 2017.

Joanne McNabb, Director of Privacy Education and Policy in the Office of the California Attorney General - McNabb was instrumental in creating what could be the world's first minimum standard of information security contained in the 2016 California Data Breach Report (i.e. to implement the Center for Internet Security's Critical Security Controls). She has a particular interest in helping SMBs doing business in California improve their security and has organized workshops (featuring CIS) for multiple city Chambers of Commerce, law firms and investors.

GySgt Johnathan Norris, JCU Cyber Troop, Ft. Bragg, NC - GySgt Norris is a senior NCO for the CPT that supports JSOC. He is working with the JROTC program at local high school, Terry Sanford High School as a mentor to create excitement around cyber and to prepare the students for future careers. He volunteers his time, and enlists other mentors from work, to prepare these kids for the future. The school does not have a cyber curriculum, so he has created a club within the school. He introduced cyber aces to his students to give them something to do over the summer and build what they were taught during the season; the number of students participating has tripled since introduced. He also works with local ISSA and AFCEA chapters to garner support for elevating cyber in the state.

Lighthouse Award Winner: Howard Schmidt

Schmidt has had a long and distinguished career in cybersecurity, shining a bright light on important security issues in government and private industry for over 40 years. He started his career in the Air Force with both active military service and as a civilian employee. He then spent 15 years in law enforcement, first with the Chandler AZ police department and then the FBI. From 1997 to 2001, Howard was CISO at Microsoft before being appointed by President Bush as vice chair of the President's Critical Infrastructure Protection Board and as the special adviser for cyberspace security for the White House. He retired from government and became CISO at eBay before returning to government service in 2009 as President Obama's Cybersecurity Advisor until 2012.

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. Today, SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals in government and commercial institutions world-wide. Renowned SANS instructors teach more than 60 courses at in-person and virtual cyber security training events and on demand. GIAC, an affiliate of the SANS Institute, validates practitioner skills through more than 35 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers a master’s degree, graduate certificates, and an undergraduate certificate in cyber security. SANS Security Awareness, a division of SANS, provides organizations with a complete and comprehensive security awareness solution, enabling them to easily and effectively manage their ‘human’ cybersecurity risk. SANS also delivers a wide variety of free resources to the InfoSec community including consensus projects, research reports, webcasts, podcasts, and newsletters; it also operates the Internet's early warning system–the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to support and educate the global information security community. (