What makes a Security 7 award winner? In our 10th year of honoring outstanding information security professionals, we looked for security practitioners of good standing in seven markets, and then decided that we needed to move beyond those confines to recognize true stewards of progress in 2014.
This year's winners include a former NSA director turned scholar, a community builder, a hardware "hacker," a mobile software engineer, a health information-sharing visionary, and we posthumously recognize a dedicated steward of information security, who will be greatly missed.
The seven honorees -- some nominated by their colleagues and peers -- are remarkable not only for their information security achievements, but also for their business innovation and risk management in the dynamic, take-no-prisoners world of cybersecurity, which goes far beyond IT.
TITLE: Chief information security officer, associate vice president, IT risk management
COMPANY: Merck & Co. Inc.
Over the past year, Terry Rice has raised his game to new heights, with innovations at Merck & Co. Inc. and the acceleration of industry associations and standards, which he has worked tirelessly to promote.
As the CISO at Whitehouse Station, N.J.-based Merck, Rice is responsible for IT risk management along with the company's cybersecurity and compliance programs. He oversees hundreds of projects, from e-discovery to regulatory compliance to on-site inspections. He was also the driving force behind the launch of the company's EngageZone platform designed for secure collaboration between Merck and its partners -- contract research organizations, investigators, academia and others -- to help new drugs reach the market faster. EngageZone has mitigated information security risk, reduced compliance risk and cut capital and operating expenditures by millions of dollars, according to the company. It connects to Exostar's Life Sciences Identity Hub, which provides access to other industry and third-party applications through single sign-on using two-factor authentication. To raise the level of trust, credentials must be issued by a SAFE-BioPharma Credential Service Provider. The SAFE-BioPharma Association, of which Rice is chairman, was formed to reduce the enormous volumes of paperwork in the healthcare and pharmaceutical industry by enabling the secure electronic exchange of sensitive information and intellectual property. The SAFE-BioPharma digital identity and signature standard provides high-assurance identity trust for cyber-transactions in accordance with Federal Identity, Credential, and Access Management (FICAM) requirements.
Rice was an early lobbyist for a vertically-focused working group for the healthcare and pharmaceutical industry back when such groups were primarily aimed at financial services. Today, the Health Information Risk Working Group has 73 members including representatives from Abbott Labs, Aetna, CVS Caremark and Eli Lilly. Rice also serves on the board of directors of the National Health Information Sharing and Analysis Center (NH-ISAC).
From his early years in U.S. Army military intelligence to his jobs in the healthcare and pharmaceuticals, Rice has worked in information security for more than two decades. Prior to Merck, he was the director of the global security program at Johnson & Johnson. He has a Master of Science degree from George Washington University and a Bachelor of Science degree from the United States Military Academy at West Point.
TITLE Chief security officer
COMPANY: Sony Network Entertainment International
INDUSTRY: Digital entertainment
Tom Brady and Derek Jeter are noted for their legendary careers and loyalty during the highs and lows of playing for only one team. Jason Harkins is remarkable in the security field because of his rise through the ranks at the same company and his crisis management after a major security breach.
As the chief security officer of San Mateo, Calif.-based Sony Network Entertainment International (SNEI) since March 2013, Harkins has worked his way through numerous divisions of the company from his early days as manager of systems engineering at Sony Pictures Digital Entertainment to vice president and senior director of production systems at Sony Connect to executive director of technical operations at Sony Online Entertainment. In 2009, Harkins moved into security operations full time, as senior director of security operations and production services at SNEI.
Rising up through the ranks of your employer in the security field is a major feat. Retaining your position after a major breach is even more remarkable. The PlayStation Network had a high-profile outage in 2011 and Harkins played a major role in its recovery. He spearheaded the PCI-DSS compliance effort and the development of a fraud monitoring and detection program for the PlayStation platform and SNEI. As the inevitability of breaches becomes a reality that is acknowledged by management, the success of chief information security officers will increasingly be defined by their response to breach incidents and crisis management. Today, Harkins is responsible for SNEI's global information security program (as well as its physical security program in North America).
TITLE Director, Darwin Deason Institute for Cyber Security
ORGANIZATION Southern Methodist University
Frederick Chang, Ph.D., is a cybersecurity researcher who is working to educate the next generation of security specialists. He returned to academia in September 2013 after a career in commercial entities and government as the research director of the NSA, to lead the cybersecurity program at Southern Methodist University in Dallas, Texas.
"As the former director of research at the National Security Agency, I can tell you that I had a front row seat with a view into what the planet's most sophisticated cyber adversaries would like to do to the United States," said Chang at the time of his appointment. "I had the opportunity to work with some of the brightest minds in cybersecurity in our country. In coming to SMU, I will once again have the opportunity to work with world-class talent."
As the first Bobby B. Lyle Centennial Distinguished Chair in Cyber Security at SMU's Lyle School of Engineering, Professor Chang is focused on creating an interdisciplinary approach to cybersecurity. With that strategy in mind, he is also a senior fellow in the John Goodwin Tower Center for Political Studies at SMU's Dedham College.
Chang believes that "a coherent science and engineering of cybersecurity" does not exist today. "We will continue to work hard to close the skills gap," he said. "The nation needs many more cybersecurity professionals than are being trained now. Our SMU students will be trained, they will get good jobs and importantly we will bestow upon them an enduring mission to stop cybercrime."
In addition to his 2005-2006 tenure at the NSA where he received the Distinguished Services Medal, Chang has served as president and chief operating officer of 21CT Inc., SBC Communications and research positions at University of Texas, Austin and San Antonio.
TITLE Security engineer
COMPANY: Heroku Inc., a Salesforce.com company
Leigh Honeywell says she left her heart not in San Francisco (where she currently lives and works), but in Toronto. She's been involved in co-founding a hackerspace (HackLabTO) there, and "finally" finished her Bachelor of Science in computer science and equity studies (equality, not finance) a few years ago at the University of Toronto.
After stints at Microsoft, MessageLabs/Symantec and Bell Canada, these days she works at Heroku (part of Salesforce.com) on the company's security team, but she wants us to note that she's "not any sort of official spokesperson for them."
We took note of Honeywell because as an avid tweeter @hypatiadotca, she's a frequent and positive contributor to the lively security discourse on Twitter, both about day-to-day security work ("amuuuurca, land of the free, home of the massive payment breaches") and also raises questions about gender equality and culture. She helped launch a feminist workspace called the Seattle Attic Community Workshop in Pioneer Square in Seattle, does a fair amount of public speaking and is an administrator of the Geek Feminism wiki.
Honeywell is focused on secure software development ("it's an unsolved problem!"), hackerspace creation ("welcoming environments for those who have been traditionally underrepresented"), vulnerability incident response ("we're in an exciting, transformative time in the evolution of how researchers work with software vendors"), and fighting harassment in the security community.
TITLE Product designer, founder
COMPANY: Grand Idea Studio Inc.
Joe Grand is well-known as the guy who designed the first five conference badges for DefCon that had blinking lights. The badges had processors and LEDs on board beginning in 2006. Initially it was nothing fancy, but the blinking badges started to snowball as more DefCon attendees over the years got involved in hacking their own badges to create customized performances. If you want to get security researchers thinking about the security of hardware in a world about to become embroiled in the Internet of Things, you'd be hard pressed to think of a better way than to put the right toys in front of the right people.
Grand's association with security dates back to his involvement with L0pht Heavy Industries beginning in 1993. His hardware engineering cred can be traced back to a Bachelor of Science degree in computer engineering from Boston University. He later was awarded an honorary doctorate of science in technology from the University of Advancing Technology in Tempe, Ariz.
His role as an early member of what might be called one of the original hackerspaces was formative, he says. It shaped who he was, but the group also influenced the computer security industry in critical ways, pushing questions around vulnerability research and disclosure into the security mainstream. A New York Times article in 1999 described the group's work in terms that made news then and is considered standard procedure today:
Upon discovering a security flaw in commercial-network software, the L0phties publish an advisory on their Web site. The advisory is a double-edged sword: a detailed description of the flaw -- enough information for other hackers to duplicate the 'exploit' -- and a solution that tells network administrators how to close the loophole.
Grand's latest projects include an open-source tool called JTAGulator for identifying on-chip debug facilities on hardware currently used in embedded devices. "As strange as this may sound," he says, "I've been most excited recently about reverse engineering PCBs [printed circuit boards]. While most hackers are focused at a chip- or system-level, board-level attacks have largely been overlooked." Grand noted that he "recently finished up a DARPA Cyber Fast Track project to study and experiment with various methods to deconstruct PCBs in order to access copper layers.
"I'm now working on a software tool to assist in recreating a schematic based on a collection of such copper layer images," he says. "It's a tool I've always personally wanted and is a great opportunity for me to sharpen my coding skills."
TITLE Senior vice president of engineering
Data privacy is the Holy Grail in healthcare as the medical industry continues to digitize patients' records and secure access to that information. Faced with confidentiality, security and compliance requirements, Terry Low led the team that launched the PointClickCare cloud-based system for healthcare providers, who specialize in senior and rehabilitative care. The on-demand PointClickCare system enables medical practitioners to view patient charts, electronically co-sign orders and deliver care using a mobile device.
In order to meet privacy and security rules, a positive ID is required for electronically signing orders, observations and notes. By choosing PointClickCare for HIPAA-compliant mobile conversations with guaranteed secure access, approval and digital signatures by VASCO's authenticators (GO6), the application offers practitioners not only security, but also convenience.
A veteran of enterprise software development, Low has recently focused on "appliancizing" software and services. As the former vice president of product development at Trustwave, Low headed the group responsible for the company's security event and information management (SIEM) software and appliances. He joined Trustwave when the company acquired Intellitactics, a security company where he was the vice president of development for its SIM/SEM product suite. Throughout his 25-year career of software development and information security, Low has worked at Mitel, Bell Northern Research, IBM (WebSphere Commerce suite), Delano Technology and DataMirror (which was acquired by IBM). He has a Bachelor of Arts from York University in mathematics and computer science and a Master of Science in industrial engineering and operations research from Southern Methodist University. In his current position, Low is responsible for the development of the company's technology infrastructure, architecture, core services and application product suites.
COMPANY: Founder, Logical Security LLC
INDUSTRY: Information security training and consulting
Though we'd ordinarily refrain from honoring someone who regularly and closely worked in a business relationship with us, we'd like to honor in memoriam our valued contributor Shon Harris, who died in early October. Harris's influence in the field wasn't flashy, but it was a profound and lasting one, as the contributions of great teachers so often are.
She founded Logical Security LLC, an information security training and consulting company, in 2002. She quickly built a reputation for offering the industry's most comprehensive, challenging and up-to-date security certification training, focusing on the CISSP, CEH, Security+ and others.
Harris authored several international best-selling books on information security published by McGraw-Hill and Pearson, which have sold more than 1 million copies and have been translated into six languages. She authored three best-selling CISSP books and was a contributing author to the books Hacker's Challenge, Gray Hat Hacking and Security Information and Event Management (SIEM) Implementation. She also wrote academic textbooks for various publishers and countless articles for trade magazines.
She consulted for a large number of organizations in every business sector (financial, medical, retail, entertainment, utility) and several U.S. government agencies over the last 18 years. She also worked directly with law firms as a technical and expert witness on cases that range from patent infringement to criminal investigations and civil lawsuits, and she specialized in cryptographic technologies.
Prior to starting her career as an information security consultant and author, Harris served as an engineer in the Air Force's Information Warfare unit.
(This entry is based on a remembrance of Shon written for SearchSecurity.com by Executive Editor Eric Parizo.)
About the authors:
Kathleen Richards is the features editor of Information Security magazine. Robert Richardson is the editorial director of TechTarget's Security Media Group.