This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners: Simply the best."
Download it now to read this article plus other related content.
SOME ARE VISIONARIES. Some are technologists. Some are policy and process mavens. All are winners of Information Security's second annual Security 7 award.
Information Security, our sister site SearchSecurity.com
We solicited nominations from the security industry and then had an expert panel select the
FROM THE EDITORS
See the winners from last year's 2005 Security 7 Awards.
Read more about the honorees and their achievements.
PROTECTS $16.8 BILLION HEALTH CARE AND INSURANCE PROVIDER
MELDS SAFETY AND SECURITY
PIONEER IN INTRUSION DETECTION
STANDARD BEARER FOR AIRLINE SECURITY
EARNS A+ FISMA GRADES
DEVELOPS ANTI-SOCIAL ENGINEERING PROGRAM
CONCEPTUALIZES, ARTICULATES FUTURE DIRECTION OF SECURITY
Security 7 Winners
BY ERIC B. PARIZO
There was a time not long ago when very few companies got "it," says Craig Shumard. "It" being the realization that information security and risk management are paramount to every enterprise.
"Back in the late 1990s, when we talked to our peer companies, the level of sophistication on risk issues wasn't there," says the CISO of health care and insurance giant CIGNA. "Today, there's really been a lifting of all boats."
Shumard deserves his share of credit for that evolution. After more than a quarter century at CIGNA, the last seven as CISO, the 55-year-old has become perhaps the most outspoken security executive in his industry. In fact, he's not averse to working with competitors to help them grasp why the safety of sensitive data is not to be taken lightly, especially when contractors and business partners are involved.
"One of the things that has always concerned me is the fact that when people look at their business partners, they look at them with different lenses...less diligently," Shumard says. "We have reviewed numerous third parties with serious issues, only to find that they do business with other big-name companies who paid little or no interest to the risk of their data. Having some sort of criteria that's consistent and robust, and getting suppliers and third parties certified, so to speak, would go a long way toward promoting information security in our industry and across industries."
Yet even after recent high-profile data breaches, Shumard says there still are organizations that haven't put measures in place to account for and control access to sensitive data. Worse yet, he says, some still underestimate the threat posed by rogue, trusted users.
In CIGNA's case, the $16.8 billion firm has an extensive list of information security policies, but Shumard says more than half of them can't be fully enforced because user actions can't be properly monitored and controlled. That means relying on its 28,000 employees to follow policy. For many firms, that's where things go wrong.
For instance, Shumard says that like many companies, CIGNA allows employees to decide whether email messages should be encrypted based on the sensitivity of each message. Users are also tasked with encrypting data on removable media, but since it's not an automatic process, it's easy to forget.
Even security vendors don't fully recognize the problem. Shumard says most security products available today focus on external threats, rather than controls and processes to manage trusted users.
Despite those difficulties, CIGNA has been able to mitigate internal and external dangers because employees buy into the importance of security. Shumard says a company-wide program only thrives when it is an ingrained part of the corporate culture. That's why when he helped develop CIGNA's first comprehensive risk profile many years ago, he didn't restrict the process to a select few decision makers.
"When we did our first risk assessment, we had input from more than 250 people, and quite frankly, for many that was the first time they had thought about these issues," he says. "It started the whole process of engaging people, and was the genesis of our strategic road map." Bill Downes, assistant vice president of the information protection organization at The Hartford, has exchanged ideas with Shumard on different technology rollouts and process issues. The Hartford and CIGNA push security responsibilities into lines of business, and the two have been a sounding board for strategies, successes and struggles.
"It's always beneficial to have someone you trust in the industry," Downes says. "A guy like Craig is street smart. He provides feedback and input you could trust."
Looking ahead, Shumard says the pool of information security professionals has never been larger and more talented. The people he hires today, who have often studied information security in college and have seven or eight years of experience in the field, are much more capable than new hires were just a few years ago.
Shumard is quick to emphasize the success of his team, which he says deserves the credit for executing the risk-based program that has kept the company's data safe.
"If I were to retire today," Shumard says, "given the fundamentals we've put in place and the way we've positioned and framed security, I'm very comfortable that the organization would sustain itself and thrive."
Security 7 Winners
BY NEIL ROITER
DuPont CISO Larry Brock knows that protecting a complex global organization isn't a one-man job--and that's one of the traits that make him a singular information security leader.
"It's one thing to come up with policies, but it's much more important to have influence capability," says Brock, whose drawl gives away his Jackson, Tenn., roots. "So as a new threat emerges, I can convince leadership to invest in mitigating and controlling that risk."
Brock brings a blend of business and security savvy to the CISO position, which he's held for about five of his 27 years at DuPont. He's held jobs in corporate IT and several of the company's business units, and has continued to have a role at NSA through 26 years in the Air Force Reserve, from which he retired as a lieutenant colonel.
"The culture, for me, shifted from security briefings to safety briefings," says Brock, who still devotes some of his time to the NSA. "In the military, security was the No.1 core value. At DuPont, safety is a real core value--we may be unique."
Security and safety are joined at the hip at the vast Wilmington, Del.-based company. DuPont encompasses a large number of process-control environments that manage sensitive chemical processes; if those are tampered with, safety could be compromised.
DuPont's global presence--some 150 companies in 70 countries--also weighs heavily on these tightly linked safety-security concerns. "We take environmental and safety requirements very seriously, including the computer systems that control our processes. If we don't take our stewardship in the countries we operate in very seriously, we can lose our right to operate there."
Brock's talent for working with people goes beyond influencing business leaders at DuPont. He's developed productive relationships with security leaders at other corporate giants.
"He's willing to help support what you are trying to do without asking for anything in return," says Richard Jackson, Chevron's chief information protection officer. "What I've learned from Larry is that in the terrible battle going on between people who are trying to protect assets and those who threaten them, the path to success can't be taken by yourself--you need friends you can confide in."
"Larry builds incredible teams and loyalty," says John Puckett, CTO of DuPont's Information Technology Division. "He recognizes individuals' contributions--it's all about recognition."
In his years at DuPont, Brock has seen information security move from computer and network security and become integrated into all IT processes and many business processes.
It's no surprise, therefore, that Brock says the CISO is more of an information risk officer. His organization touches many cross-functional operations including disaster recovery, risk management, and records management--the critically important ability to classify, retain and properly dispose of records.
"Larry's much broader than security," says Jackson. "A CISO has to be not only a good security practitioner but part lawyer, part salesman, part marketer, part negotiator and part facilitator."
Brock can trace part of that ability to his role as CIO of one of DuPont's business units for a number of years. There, he honed his management skills to work with business leadership and learned how to collaborate with members across multiple functions.
That's critical, he says, as security has become "almost a board-level issue" because of the importance of protecting critical intellectual property potentially worth billions to DuPont. The global nature of the markets in which the company does business requires that DuPont collaborate with partners. Brock's contemporaries say securing those relationships is a challenge he's well equipped to meet.
"Larry has the unique ability to think globally and execute locally," says Puckett.
"He has a vision of what he's trying to accomplish," says Jackson. "He's data driven, asking, 'What are the facts?' And, he surrounds himself with good people. He gets results."
Security 7 Winners
BY MARCIA SAVAGE
Fresh out of college and working in computer security in the late '80s, Paul Proctor was toying with some ideas about an emerging technology called intrusion detection. But it wasn't until he read Dorothy Denning's groundbreaking 1987 paper, "An Intrusion Detection Model," that he knew he was on the right track.
"That was like a spark that made me go very heavily into intrusion detection. She provided that spark with her ideas," recalls Proctor, who went on to write a book on the subject and is now a research vice president with Gartner.
He also remembers how much time Denning spent talking with him--when Proctor was 22--at a series of IDS workshops held by research institute SRI International. "Here's this Ph.D. who has done all this seminal work, and she was giving me not only the time of day, but engaging me in real conversations."
Proctor is one among scores in information security who have been influenced by Denning, who pioneered the field as a writer, researcher and professor. In the infosecurity world, Denning is like actor Kevin Bacon and has six degrees of separation from anyone, says Amit Yoran, former cybersecurity chief at the Department of Homeland Security.
"You'd probably find that many people in the field, at one point or other, were students or colleagues of hers," says Yoran, a student of Denning's in the early 1990s when she taught at Georgetown University.
Today, a professor of defense analysis at the Naval Postgraduate School in Monterey, Calif., Denning has penned more than 120 articles and four books, including Cryptography and Data Security and Information Warfare and Security. She's won numerous awards, and was named a Time magazine innovator in 2001. She's also held many leadership and advisory roles, including serving on the boards of companies formerly headed by Yoran and Proctor.
Her work, she says, has been mostly driven by intellectual curiosity rather than a sky-is-falling complex: "I can honestly say I'm not motivated by some sense of doom--that I've got to do this or the Internet is going to fall apart," Denning says.
Growing up in Grand Rapids, Mich., Denning excelled at math and spent summers working at her father's wholesale building supply business. When she headed to the University of Michigan, she figured on becoming a high school math teacher.
But as a computer science doctoral student at Purdue University in 1972, she took a class on operating systems that proved life-changing. Security was one of the topics the class studied, and Denning was hooked. She chose it for her thesis topic, and produced what became the influential lattice model for secure information flow. The class changed her life in more ways than one--she later married the man who taught it.
Denning has been a visionary, says Peter Neumann, principal scientist at SRI's computer science laboratory. In addition to her pioneering work in cryptography and intrusion detection, Denning broke ground in database security. At SRI, she and Neumann worked on SeaView, a project to develop a model for a multilevel secure database system.
"She's been keenly aware of emerging problems early on," Neumann says.
Denning also doesn't shy away from controversial positions. "She's not afraid to stand up to anyone and justify her position," Yoran says. In the '90s, her support of the ill-fated Clipper chip, which would have allowed U.S. officials to decipher coded messages, brought her heavy criticism. "Clipper Chick" was one of the monikers bestowed on her.
"I don't regret anything I did," Denning says. "But I think the right decisions were made by the government to liberalize [encryption] export controls. That period led to a lot of innovation in cryptography."
More recently, she's known for inventing geo-encryption, a technology for scrambling data until it reaches a certain location.
A major focus for Denning these days is cyberterrorism. After much study, she's concluded that terrorists aren't close to posing a major threat on the Web. "You won't see the power grid shut down by terrorists anytime soon, at least not from the indicators I've found," she says.
Security 7 Winners
BY MICHAEL S. MIMOSO
The risks associated with converting future aircraft into what amounts to a flying IP network probably send shudders through the spines of airline information security managers.
Not Andre Gold.
These are the challenges that drive Continental Airlines' director of information security. Answering seemingly impossible mandates has been the hallmark of Gold's career with the airline. In 10 years he's served in two capacities: six years as technical director of Internet services, developing and managing an ecommerce infrastructure that last year raised $1.6 billion for the airline, and the last four as information security manager.
Securing a network with endpoints in 277 countries has forced Gold to sharpen his flight plan and become proficient in everything from vulnerability management to provisioning, to network access controls.
And, oh-by-the-way, he's chasing down an MBA part time at Colorado State University, meeting head-on a trend in the infosecurity industry that deems managers must have business chops to remain relevant.
"The days of the firewall, IPS and other sexy technologies are over [for CISOs]," Gold says. "It's about how you mitigate risk and improve shareholder value with the security program you implement."
That takes us to Gold's latest venture, bringing services like wireless broadband connectivity and secured ground-to-cockpit communication and data sharing to next-generation aircraft.
Gold represents Continental on the Data Link Security Subcommittee, an industry board that includes representatives from other airlines, the Air Force and manufacturers like Boeing, Honeywell, Airbus and Rockwell. The group is drafting security protocols that will enable not only Wi-Fi connectivity, but how future aircraft connect to respective carrier networks, offload messages, and upload data like gate information.
While Gold thrives in an industry perennially targeted by terrorists--Continental was one of the airlines speculated as a target in August's foiled plot to blow up U.S.-bound airplanes from the U.K.--he contends with direct and indirect Internet-based threats every day.
The airline's ecommerce system connects to other airlines, hotels and rental-car agencies, creating a bevy of disparate places from where attacks could infiltrate the airline's network.
"From a cyber perspective, attacks won't come from just one place. Continental may not be the target, but could become the target after an affiliate is penetrated," Gold says. "That's what makes the task so daunting."
Geography presents another challenge to the security of Continental's network and policy expression and enforcement. Operations in 277 countries force Gold and his teams to sharpen their awareness of international regulations. And since Continental outsources service delivery in many countries, lack of employee awareness could raise liability and exposure.
Gold's reputation precedes him as not only a technically savvy manager, but one who is passionate about reaching out to vendors--startups in particular--and researchers.
"I like working with technology incumbents who want to listen, or startups with valued security IP. There's a lack of innovative technology that addresses my liabilities," Gold says.
ConSentry Networks, for one, has benefited from Gold's insight into network access controls, says Dean Hickman-Smith, vice president of sales.
"[Gold] has always been able to rapidly understand and work with new technologies, not just buzzword stuff of the moment," Hickman-Smith says. "He can rapidly get down to technical details with new vendors to ascertain if there is value in their products.
Hickman-Smith adds that Gold is one of the first CISOs to understand the true value of identity within a network context, and fit that into a business context.
"Andre has an extremely nice personality, and that makes people want to go the distance for him," Hickman-Smith says.
"I see him as a CIO, CTO type of guy in the not-too distant future."
Security 7 Winners
BY KELLEY DAMORE
Every morning when 8,000 employees from 80 different countries log on to their computers, a security fact pops up on their screen. Employees of the U.S. Agency for International Development (USAID) must read it and answer the subsequent quiz before they can launch any of their applications.
This security awareness program is just one example of how CISO Philip Heneghan has made security a way of life for the agency, which on the eve of his arrival received an F on its 2002 Federal Information Security Management Act (FISMA) report card. "It certainly couldn't get any worse," laughs Heneghan. "But it made it an easier sell that we needed to change." The agency has received an A+ for the past two years, with a perfect score in 2005.
That's quite an accomplishment, particularly given the vast scope of USAID's mission and IT infrastructure. The agency supports economic development and provides humanitarian assistance and aid to such dangerous and remote places as Sierra Leone, Sudan, Afghanistan, Iraq, Haiti and Mongolia. As a result, the agency relies on connectivity from 55 Internet service providers, manages more than 16,000 network devices, 100 firewalls, 300 routers, and a slew of heterogeneous applications.
But Heneghan had a mission of his own: hold the government agency's business owners accountable for risk and provide them with metrics on which to base their decisions. Before Heneghan joined the organization, the security team worked in a vacuum. It was solely responsible for security fixes, but had no communication with other parts of the organization. What's more, the insular security team had little desire to let outsiders meddle with technical security affairs.
That's all changed under Heneghan's watch. He dismantled the agency's organizational silos and issued monthly vulnerability and risk report cards to the CFO, the head of human resources, country managers and other key executives. "There was a 75 percent reduction of the vulnerabilities in six months. The executives had not known there was a problem," says George Moore, deputy information security systems officer for USAID.
Heneghan also changed the accreditation process. While he committed to certifying systems, he put the onus on the business owners to accept or mitigate the risk associated with data in their departments. Soon, they were engaged in OS and database security, says Heneghan, who is now acting CIO for the agency. "He emphasized measurement and processes, and the outcome speaks for itself," says John Streufert, CISO for the U.S. State Department.
But it was easier said than done. Heneghan first needed to build up the security infrastructure so he could capture and present the correct data to the business executives in a way they could understand. To that end, Heneghan and his team brought in host and network IDSes, a vulnerability management system, and a SIM to collect and aggregate the data. In the end, USAID became the first government agency to roll out a security risk analysis solution that could prioritize vulnerabilities based on business risk--even if those risks were being assessed remotely.
"We needed all that data to make an informed risk management decision," says Bill Geimer, program manager for Open System Sciences at USAID. "[In the past] we would do vulnerability scans once every six months and it was a struggle to get any vulnerabilities fixed. At the time we really had a limited understanding of the technical risk we had accepted. Now we scan all network systems every two to three days."
The agency's ability came into play in December 2004 when the tsunami struck Southeast Asia, killing more than 200,000 and displacing close to 2 million people. USAID needed to establish a presence in the region immediately. Since much of the region was devastated and the traditional method of setting up networks was not feasible, Heneghan's security team needed to closely monitor the risk to systems.
"The networks established were in violation of all the rules. But as long as we could monitor the risk, we could get it under control. By February we were able to get the risk into acceptable limits," says Heneghan.
"I feel like we are always raising the bar," says Geimer. "Phil is unyielding--sort of a patriot making a difference."
Security 7 Winners
BY DENNIS FISHER
Stephen Bonner got into security by accident, but his success since hasn't been.
Trained as a mathematician, Bonner took a somewhat nomadic path through the academic, government and private sectors, before landing a job that is the envy of most of his peers: global head of information risk at Barclays Capital, a London-based investment banking company.
While Bonner may have gotten into the security industry through the side door, his positive results have been up front. He and his staff have delivered more than two years without a virus infection at Barclays' U.K. division. He has set up a comprehensive in-house forensics and incident-response team, and has put in place an anti-social engineering program that has identified several malicious employees, leading to their dismissal.
"I was always interested in security, but it took me many years to realize that I could get paid for working in the field. It was an unusual transition," Bonner says.
Before landing at Barclays in 2003, Bonner honed his skills at several universities, including Oxford, and then took a position in the late 1990s with Richard Branson's fledgling ISP, Virgin.net. The famously unpredictable and bombastic Branson needed someone to run the operations of his pet project; Bonner was brave enough to accept. During his time at Virgin, the ISP increased its subscriber base 20-fold and Bonner was soon responsible for all of its security.
Those who know Bonner say his background gives him a unique skill set and perspective on the industry and security problems.
"He has a kind of intuition about where the next problem might come from," said Gidi Cohen, CEO of Skybox Security, a maker of risk analysis software. Bonner is a member of the company's customer advisory board. "Knowing the risk management domain helps him with regulatory compliance. It was only natural for him to apply that knowledge to security. He sees what we see, which is security and risk management merging."
At Virgin, Bonner also got a quick education in finding and prosecuting online miscreants. Branson had little patience for hackers, so Bonner soon became expert at finding evidence; Bonner had 100 percent success in court.
"Richard has a lot of people working for him with very strong opinions," Bonner says. "I assisted in a lot of prosecutions."
His experience in the courtroom, combined with the work in the server room, gave Bonner the background and motivation to set up Barclays' forensics and investigation program. The company had been outsourcing forensics work for some time, but Bonner soon developed a team of security specialists who had both the capacity and willingness to do the work.
The more phishing and Trojan attacks Bonner and his team dealt with, the more proficient they became at identifying and stopping them. A side effect of this was that many on his 29-member security team developed high-level forensic and investigative skills, scarce talents in the infosecurity profession.
"Half the team is trained right now. It's like a fire brigade in a small town. My team can put out the small fires, and call in the fire department to put out the big ones," Bonner says. "But just by the nature of what they've accomplished, we do have some of the world's best people at this now."
The team's expertise is an outgrowth of Bonner's philosophy of being prepared for--instead of reacting to--attacks and other incidents. But none of that would be possible without the financial and administrative support he gets from senior management at Barclays.
"We get all that we need and more," Bonner says. "That enables us to be ahead of the curve. Other places are very reactionary--they have to go out and ask for funding when something happens. Now when things come through, we're prepared for it. You can't wait until you have a problem to build the infrastructure. It's too late. [Senior management at Barclays] gets it."
Security 7 Winners
BY BILL BRENNER
As Bell Canada's chief security executive, Robert Garigue always remembers what his father Philippe taught him: "Serve the public above all, and never stop learning."
"My father was an academic, and he was in the military," Garigue says. "He taught me the value of learning, working for a cause and actively participating in the community. In the private sector, security is part of that tradition, ensuring the protection of your customers and the community at large."
Garigue became chief security executive of Bell Canada earlier this year after several years as CISO of the Bank of Montreal Financial Group. Before that, he was assistant deputy minister for the province of Manitoba's Office of Information Technology and served in the Canadian military, specializing in information warfare. Earlier in his career, he worked as a special assistant to former Prime Minister Charles Joseph "Joe" Clark.
He describes his time in the military and government as an ongoing education that continues today, despite the long work hours he typically logs. When he's not working, Garigue immerses himself in academia. He recently finished work on a Ph.D. in knowledge management at Carleton University in Ottawa, and has written a number of articles and essays. His wife calls his academic endeavors a hobby.
One former colleague says it's not hard to see why Garigue is such an effective security executive.
Marc Stefaniu, who worked with Garigue as a senior IT security manager at the Bank of Montreal, says Garigue is a master at conceptualizing what the security landscape will look like years into the future and developing a strategy that fits it.
"He's a visionary with an unmatched ability to articulate the future directions of information management, information security and the changing role of the chief information security officer," Stefaniu says, adding that Garigue also builds strong teams of professionals "by discovering and encouraging what everyone can offer the best in order to build new synergies and value for the organization."
Stefaniu says Garigue is also a good manager of people who sets high performance expectations and is always ready to acknowledge his staff's accomplishments instead of seeking the limelight.
Garigue, meanwhile, says his big-picture security philosophy is about how companies identify current and future threats, and manage risks.
"Security isn't about the daily brushing and flossing--the use of antivirus and firewalls. It's about starting to identify the things that take a long time to institutionalize," Garigue says. "It's looking at what the future risks are and what you put in place to manage the risks. It's about strategizing."
Garigue says in the next decade, strategies will shift from defending the networking infrastructure and operating system, to placing layers of security around individual pieces of content like Word documents and files for movies and music.
"In the beginning the focus was access control, who you let in and who you didn't let in, and then we created firewalls," he says. "In the next iteration [of the industry], we realized security is about the integrity of the operating environment, and so you had things like patch management. Now we're looking at ID and access management, who's a contractor, who can see what information and so on."
To that end, he said security boundaries are moving toward the content. "You don't know where the content is going to go, so the unit of security has moved from the network, to the OS, to now the content," Garigue says. "It's about appropriately tagging content with the right checks and balances. You want your Word documents and music files to have digital rights management around them."
However security evolves, Garigue says one thing will never change: the need for security professionals who embrace the values his father taught him. On that score, he says, the future of cyberspace is in good hands.
"People in security today are truly concerned about the welfare of the public at large," he says. "All the teams I have worked for have been very passionate and dedicated to ensuring that their buddies are safe. These things are very close to the heart of every security practitioner I've worked with."
This was first published in October 2006