In the run-up to Black Hat, Defcon, and BsidesLV, we thought it pertinent to highlight some of the best and brightest infosec pros in the business – some of whom are long-standing veterans who deserve more attention, and some are emerging influencers we should all be paying attention to.
We privately surveyed a broad spectrum of thought leaders in the field of security and risk management and asked them to recommend candidates in three general areas – Defenders, Educators, and Hackers.
Last week we featured The Defenders, and the response from the security community was astounding. This week it’s time to recognize some of the leading Educators in the field – those individuals who have an impact on the nature of discourse in the field of security, who openly share their insights and expertise for the benefit of all, and who continue to impact the fundamental tenets of information security and risk management.
Please note that this is not an attempt at ranking these individuals, as the finalists are simply presented here in alphabetical order, and we also realize the list is far from being all-inclusive.
With the caveats aside, let’s give kudos to the Defenders!
Dan Cornell, CTO at Denim Group
Cornell is recognized as a leader in the application security industry who is literally everywhere, it seems. He was recommended for his groundbreaking work on ThreadFix, an open source software vulnerability management tool that provides security managers and professionals a central location to store and track software vulnerabilities. He has also made invaluable contributions to the OWASP society, and is in high demand for trainings and presentations at numerous security conferences. With application vulnerabilities having emerged as one of the leading threat vectors, Cornell’s work is even more important today than ever.
Bruce Hallas, Information Security, Governance & Risk Management
Hallas began his career in law, finance and business development and brought those skills to the field of security, spending a good deal of the last 12 years developing information security risk strategies for global and national business operations. Hallas is the acknowledged as the brains behind The Analogies Project, which he founded in order to make the challenges in infosec easier to understand to the ordinary person by explaining complicated security concepts in the form of simple stories and analogies. Effectively translating security for the less technical folks is paramount to the success of any security program, and we applaud the effort.
Rebecca Herold CIPM CIPP/US/IT CISSP CISM CISA, AKA: “The Privacy Professor”
Herold has more than twenty years experience in matters related to law, infosec, and privacy, and is also an accomplished author and Adjunct Professor for the Norwich University Master of Science in Information Assurance Program. Herold, an attorney with wide-ranging subject matter expertise, and has led the NIST Smart Grid privacy group since 2009 where she also spearheaded the Privacy Impact Assessment (PIA) for utilities. She also worked with ENISA to produce their “Obtaining support and funding from senior management” guidelines for businesses, and currently advises healthcare organizations and their business associates on how to meet their HIPAA, HITECH and other information security and privacy compliance and risk mitigation requirements. Herold’s accomplishments are too many to list here, and we are certain the industry would be wanting but for her tireless efforts.
Haug is a business strategist with a deep interest in information security as a strategic business asset. Where infosec pros think of security in terms of ICT, technology, hackers and so forth, Haug takes a satellite perspective and looks at security as a means to reduce operational, financial and strategic risk, and is focused on creating business value where security is part of the value proposition. Unlike most business strategists, Haug understands security principles, and this two-way perspective enables Haug to have a unique point of view. We expect to see a lot more from him in the years to come.
Francis Hoang, Partner at Fluet, Huber & Hoang
Hoang’s specialty is in the legal field, and his contributions to national security efforts are exceptional. He graduated in the top 1% of his West Point class, and he served in Southeast Afghanistan as the Executive Officer of a U.S. Army Special Forces Company that deployed for 7 months of combat operations in support of Operation Enduring Freedom. During the Bush Administration, Hoang served as Associate Counsel to the President of the United States, the GAO, and other government agencies, and provided legal counsel to the Homeland Security Council. While serving as counsel, Hoang provided legal and cybersecurity compliance guidance that enabled a Federal Contractor to securely communicate mission-critical information that resulted in over 160 detections of boats carrying illegal drugs at a cash valued at over $660 million. He now is a partner with Fluet, Huber & Hoang, where he represents, advises, and counsels individuals and entities regarding cybersecurity and physical defense and intelligence.
Curtis KS Levinson CDP CISSP-CAP MBCP CCSK, United States Cyber Defense Advisor to NATO
Levinson is continually advising the 28 nations of the North Atlantic Treaty Organization, NATO on beginning the massive paradigm shift from their existing concepts of physical battlefields to the virtual battlefields of cyberspace. Levinson develops and directs state of the art security, cloud and governance teams, and implements security architectures and best practices for organizations with a wide array of risk postures in very complex and distributed environments. Levinson has served two US Presidents, two Chairmen of the Joint Chiefs of Staff, and the Chief Justice of the United States. When Levinson talks about the implications of security postures in relation to the advent of cyberwarfare capabilities, people and governments listen, and for good reason – he is helping to direct the strategies deployed on the digital front lines.
Lee Mangold, Security Researcher, Author, Scientist, Mentor, Student, Entrepreneur and Evangelist
Mangold is an accomplished researcher, author, student, entrepreneur and information security evangelist. Working with both private and public organizations, he has developed a wide variety of high-tech projects and security solutions. Mangold is a senior researcher and network operations manager for a major US defense contractor. As a current doctoral candidate, Mangold is focused on methods of effectively delivering training in information security to a diverse audience, and his research examines the concepts of adaptive training that is specifically tailored to an individual’s position and experience. Mangold is also helping to organize CyberCamp, which is is being hosted by Daytona State University with the help of a digital forensics NSF grant, and aims to share security and technology knowledge with the next generation of professionals, a worthy endeavor for sure.
Lee Munson, Social Media Manager at BH Consulting and Principle at Security-FAQs
Munson is one of those unique people who can explain complex technical issues in a language that ordinary people can understand, which is not an easy task, and his Security-Faqs blog and Twitter postings are widely regarded as a great source of security information. What adds to Munson’s charm is that his professional background is not within infosec, and he has no formal technical training. Nonetheless, he is regarded as an authority on infosec issues of the day. Munson’s reputation is such that his recent temptation to discontinue blogging because of the massive amount of uncompensated time and resources it demands led the security Twittersphere to utter a collective gasp. We must all thank Brian Honan of BH Consulting for coming to our rescue by offering Munson a gig as the company’s Social Media Manager, assuring we will all continue to benefit from Munson’s labors.
Allison Nixon, Penetration Tester / Incident Response
Nixon first developed an interest in security by learning how to “cheat” video games, which turned into a passion for penetration testing, and has blossomed into a first rate infosec researcher. Nixon is a regular on the Pauldotcom podcast, and is an avid contributor at the Micrmsoft blog (not misspelled, and no association with Microsoft). Nixon has also presented at BSides Boston, speaks at local OWASP meetings, and is on the executive board of MalShare, as well as having designed the electronics and software for the laser maze at the 2012 Braintank conference. Nixon is keeps a very low profile despite her many accomplishments, and is a player to keep tabs on as her career continues to taker her in new directions.
Theresa Payton, CEO and President at Fortalice
Payton is nothing less than extraordinary, with over twenty years of business and technology leadership experience at some of the biggest financial corporations in the world, as well as being a published security and privacy author with a focus on children and internet safety. If that’s not enough to get her on this list, she also worked for the Bush Administration as the White House Chief Information Officer, the first woman to ever hold the position. During her service, her team worked to secure systems that 3,000+ members of the Executive Office of the President depended on daily. Payton has led strategic planning teams, managed mergers and acquisitions, run technology and operations units, and overseen fraud and risk management operations. Aside from her work delivering security, risk and fraud consulting services to private and public organizations, she’s fighting back against cyber criminals and by extension supporting internet security for us all as the host of Protecting Your Cyberturf, a weekly segment on Charlotte’s CBS Station (WBTV), as well as co-hosting “Cyber Mondays” on Charlotte’s WBT 1100 AM Radio Station. Payton is a one of a kind.
Christopher Porter, Managing Principal at Verizon
As a managing principal of the Verizon RISK Team, Porter has been instrumental in producing the company’s DBIR for several years and owns a huge piece of all the work that goes into the benchmark report, managing a team that collects, analyzes and distributes data on threat intelligence and security incidents. His many admirers say he has contributed more to the fields of security intelligence and breach analysis than almost anyone else in the industry, and may well be one of the top 5 unheralded people advancing the industry today. Porter also helped create the VERIS Framework (Vocabulary for Event Recording and Incident Sharing), which has allowed organizations to standardize security incident metrics. Porter has also worked as an economist, a network and systems administrator, and an information security consultant, as well as serving on the MIT Advisory Board for the McIntire School of Commerce. With Porter at the helm of the DBIR, we can expect to see him continue to have a significant impact on the security industry as a whole.
Wim Remes, Managing Consultant at IOActive
Remes is a Managing Consultant at IOActive, and was formerly an information security consultant working for Ernst and Young as a manager in the FSO IT Risk and Assurance practice in Belgium. With over 15 years of experience in IT security, his focus has been on reducing the high cost of IT security failures, both financially and in terms of brand reputation with his deep expertise in network security, identity management, policy design, risk assessment and penetration testing. Reme’s admirers consider him to be a groundbreaking thought leader who is active everywhere in the security community, and who has had an impact as an executive board member of the ISC2. He is a sought after presenter, having spoken at numerous events such as Excaliburcon (Wuxi, China), FOSDEM (Brussels, Belgium) and Source Barcelona, as well as being co-host of the Eurotrash information security podcast. Remes has also participated in the development of the Penetration Testing Execution Standard (PTES), InfosecMentors, and organizing the BruCON security conference. Reme’s unbridled passion for security work means we will continue to see numerous contributions to the industry for decades to come.
Chris “Suggy” Sumner, Security Data Analyst/Scientist at Hewlett-Packard
Sumner is an influential contributor to the emerging field of Social Media Behavioral Residue research, which combines the disciplines of Psychology, Social Networking, Data Mining, and Visual Analytics. He has presented on his extensive research at such conferences as BlackHat, Defcon and the European Conference on Personality. Sumner is a highly motivated and enthusiastic senior Information Security Manager with HP, and has two decades of experience in developing security policies, programs and architectures, as well as being a co-founder of the nonprofit organization The Online Privacy Foundation. Aside from his many professional accomplishments, anyone who knows “Suggy” will attest he is one of the nicest guys in the industry, and we can expect to see more groundbreaking research from him in the years to come.
Georgia Weidman, Founder and CEO at Bulb Security
Weidman is literally a prodigy, having began attending college at the age of tender age of 14, and receiving her Bachelor’s degree in Mathematics at the age of 18. She went on to complete her Master’s degree in Computer Science with a focus on information security and secure software engineering. Weidman has worked in information security in both the public and private sectors, and founded Bulb Security LLC, which engages in security training, research and development, and penetration testing. She was honored with a DARPA Cyber Fast Track grant to continue her research into smartphone security and released an open source tool called the Smartphone Pentest Framework (SPF), which is used for assessing the security posture of smartphones in the enterprise, now included in Backtrack Linux distribution. She is a regular at security conferences like Shmoocon, Blackhat, Brucon, Hack in the Box, Derbycon, and numerous Security BSides events. Weidman will certainly continue to make significant contributions to the security field, and was a natural for inclusion in this listing.
Jack Whitsitt, Principle Analyst at Energy Sector Security Consortium
Last, but by no means least, we have Jack Whitsitt, a Principle Analyst for EnergySec, who plays a vital role in securing the U.S. Electric Sector’s cyber security through his outreach, consulting efforts, community engagement, education, and technical capabilities. Whitsitt combines his technical prowess and risk management experience to further public/private partnership developments that are key to securing a vital portion of our nation’s critical infrastructure. Whitsitt has provided much needed thought leadership and contributed to the infrastructure protection dialogue at all levels of government and within the industry, and is credited with being a key player in several successful sector-wide initiatives.
With the federal government positioning critical infrastructure as a primary focus for cybersecurity efforts, we can expect Whitsitt to continue to make exceptional contributions to the field.
We know there are many, many more out there – so who would you suggest? Make your recommendations in a comment below, or shoot me an email at afreed at tripwire dot com and we can include them in a subsequent article. Cheers all!
Editor’s Note: Next week we present the Hackers. A special thanks to the many infosec pros – and you know who you are – who helped us identify these fine defenders and put this list together – we appreciate your time, input, and above all else your candor. Additional data gleaned from publicly available LinkedIn profiles.
- Infosec’s Rising Stars and Hidden Gems: The Defenders
- Infosec Gurus on Positioning Security as a Business Enabler
- Top 25 Influencers in Security You Should Be Following
- 25 Infosec Gurus Admit to their Mistakes…and What They Learned from Them
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock