 |
Speaker Biographies
Alessandro Acquisti is an Assistant Professor of Information Technology and Public Policy at the H. John Heinz III School of Public Policy and Management, Carnegie Mellon University, a partner at Carnegie Mellon Cylab, and a Research Fellow at the Institute for the Study of Labor (IZA). His work investigates the economic and social impact of IT, and in particular the interaction and interconnection of human and artificial agents in highly networked information economies. His current research focuses primarily on the economics of privacy and information security, but also on the economics of computers and AI, agents economics, computational economics, ecommerce, cryptography, anonymity, and electronic voting. His research in these areas has been disseminated through journals, book chapters, and leading international conferences.
Prior to joining CMU Faculty, Alessandro Acquisti researched at the Xerox PARC labs in Palo Alto, CA, with Bernardo Huberman and the Internet Ecologies Group; at JP Morgan London, Emerging Markets Research, with Arnab Das; and for two years at RIACS, NASA Ames Research Center, in Mountain View, CA, with Maarten Sierhuis and Bill Clancey. At RIACS, he worked on agent-based simulations of human-robot interaction onboard the International Space Station. In 2000 he co-founded PGuardian Technologies, Inc., a provider of Internet security and privacy services, for which he designed two currently pending patents.
Alessandro has received national and international awards, including the 2005 PET Award for Outstanding Research in Privacy Enhancing Technologies and the 2005 IBM Best Academic Privacy Faculty Award. He is member of the program committees of various international conferences and workshops, including ACM EC 06, PET 06, WEIS 06, ETRICS 06, WPES 05, LOCA 05, QoP 05, and the Ubicomp Privacy workshop at Ubicomp 2005.
In a previous life, Alessandro worked as classical music producer and label manager (PPMusic.com), arranger, lyrics writer (BMG Ariola/Universal), and soundtrack composer for theatre, television (RAI National Television), and indy cinema productions.
Alessandro Acquisti has lived and studied in Rome (Laurea, Economics, University of Rome), Dublin (M.Litt., Economics, Trinity College), London (M.Sc., Econometrics and Mathematical Economics, LSE), and in the San Francisco bay area, where he worked with John Chuang, Doug Tygar, and Hal Varian and received a Master and a Ph.D. in Information Management and Systems from the University of California at Berkeley.
Podcasts Featuring Alessandro Acquisti: Privacy: The Slow Tipping PointChristopher Alberts is a senior member of the technical staff in the Acquisition Support Program at the Software Engineering Institute. His research is currently focused on developing advanced management methods for assuring mission success in complex environments. Prior to his work in this area, he co-developed the OCTAVE® approach for managing information security risks and the Continuous Risk Management methodology for managing software development project risks. He has also co-authored two books, Managing Information Security Risks: The OCTAVESM Approach (Addison-Wesley 2002) and the Continuous Risk Management Guidebook (Software Engineering Institute 1996).
Podcasts Featuring Christopher Alberts: Assuring Mission Success in Complex EnvironmentsJulia Allen is a senior researcher within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen is engaged in developing and transitioning executive outreach programs in enterprise security and governance, and works extensively with the IT operations and audit communities. Prior to this technical assignment, Allen served as acting Director of the SEI for an interim period of 6 months as well as Deputy Director/Chief Operating Officer for 3 years. Her degrees include a B. Sci. in Computer Science (University of Michigan) and an MS in Electrical Engineering (University of Southern California). She is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley, June 2001), Governing for Enterprise Security (CMU/SEI-2005-TN-023, 2005) and a co-author of Software Security Engineering (Addison-Wesley, May 2008).
Podcasts featuring Julia Allen: Compliance vs. Buy-in | Why Leaders Should Care About Security | Getting Real About Security Governance | Information Security Governance and Nuts and Bolts for an Information Security Program (Q-CERT podcasts) | Building More Secure SoftwareJennifer Bayuk is an independent consultant on topics of information confidentiality, integrity, and availability. She is engaged in a wide variety of industries with projects ranging from oversight policy and metrics to technical architecture and requirements.
Jennifer has a wide variety of experience in virtually every aspect of the Information Security. She was a Chief Information Security Officer, a Security Architect, a Manager of Information Systems Internal Audit, a Big 4 Security Principal Consultant and Auditor, and a Security Software Engineer.
Jennifer frequently publishes on information security and audit topics and has lectured for organizations that include ISACA, NIST, and CSI. She is certified in Information Systems Security (CISA), Information Security Management (CISM), and IT Governance (CGEIT) and has Masters Degrees in Computer Science and Philosophy. She can be reached at www.bayuk.com.
Podcasts Featuring Jennifer Bayuk: Concrete Steps for Implementing an Information Security Program
Sean R. Beggs is the Director of the Master of Information Systems Management (MISM) and the Master of Science in Information Security Policy and Management (MSISPM) programs at the H. John Heinz III School of Public Policy and Management, Carnegie Mellon University.
Sean has held positions in information technology at Carnegie Mellon for the past eight years, including Computer Support Manager and Support Specialist. In addition, he has taught IT courses for a local technical college. Prior to working at Carnegie Mellon, Sean conducted neuropsychological testing at the University of Pittsburgh and worked as a jet engine mechanic for the United States Air Force.
Sean received his MS in information technology from Carnegie Mellon University and his BS in psychology from the University of Pittsburgh.
Podcasts Featuring Sean Beggs: What Business Leaders Can Expect from Security Degree ProgramsWilliam C. Boni has spent his entire professional career as an information protection specialist and has assisted major organization's in both the public and private sectors. For 30 years, beginning as a Special Agent in U.S. Army Counter-intelligence, Bill has helped a variety of organizations design and implement cost-effective programs to protect both tangible and intangible assets. He has pioneered the innovative application of technologies including computer forensics, intrusion detection and others, to deal with incidents directed against electronic business systems.
Boni is the Corporate Vice President and Chief Information Security Officer of Motorola Information Protection Services. He is responsible for the company's overall program to protect critical digital proprietary information, intellectual property and trade secrets. He also directs the people, processes and technology programs that safeguard the company's global network, computer systems and electronic business initiatives.
Boni is Vice President and Board member of the global Information Systems Audit and Control Association (ISACA) and Chairs the IT Governance Institute which is the developers of the COBIT (Control Objectives for IT) governance and management framework.
Podcasts Featuring Bill Boni: Dual Perspectives: A CIO's and CISO's Take on SecurityDawn Cappelli is Senior Member of the Technical Staff in CERT at Carnegie Mellon Universitys Software Engineering Institute (SEI). She has over 25 years experience in software engineering, including p programming, technical project management, information security, and research. She is technical lead of CERTs insider threat research, including the Insider Threat Study conducted jointly by the U.S. Secret Service and CERT. Other current work includes modeling and simulation projects for risk analysis and communication of impacts of policy decisions, technical security measures, psychological issues, and organizational culture on insider threat. Ms. Cappelli is also adjunct professor in Carnegie Mellons Heinz School of Public Policy and Management. Ms. Cappelli has been with Carnegie Mellon since 1988. Before joining CERT in 2001, Ms. Cappelli was Director of Engineering for the Information Technology Development Center of Carnegie Mellon Research Institute, led special projects for the universitys Computing Services, and worked on projects for the Software Engineering Institutes Information Technology team. Before joining the SEI in 1988, Ms. Cappelli was Software Engineer for Westinghouse Electric Corporation, developing nuclear power plant systems.
Podcasts Featuring Dawn Cappelli: Protecting Against Insider Threat | Insider Threat and the Software Development Life CycleRichard Caralli is a senior member of the technical staff on the Survivable Enterprise Management team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Caralli is currently the team leader for developing and delivering methods, tools, and techniques for enterprise security and resiliency management. His work includes the exploration and development of process-oriented approaches to security management. Before joining the SEI, Caralli was responsible for developing the information security assessment and risk management capabilities of the CyberSecurity Center at Carnegie Mellon Research Institute. In addition, Caralli has over 25 years experience in information technology (particularly systems analysis and information systems audit and security) in Fortune 1000 companies covering banking and finance, steel production, light manufacturing, and energy industries.
Caralli holds a BS degree in Accounting from St. Vincent College and an MBA with a concentration in Information Technology from the John F. Donahue Graduate School of Business at Duquesne University. He has previously been on the Adjunct Faculty at Community College of Allegheny County and is a frequent lecturer in Carnegie Mellons Heinz School of Public Policy and Management and the CIO Institutes Executive Education programs.
Podcasts Featuring Rich Caralli: Adapting to Changing Risk Environments: Operational ResilienceJeffrey J. Carpenter is the technical manager of the CERT Coordination Center (CERT/CC) at the Software Engineering Institute located at Carnegie Mellon University. The CERT/CC focuses on technical issues relating to Internet security, including providing Internet security information for system and network administrators, technology managers, and policy makers; guidance and coordination for major Internet security events; leadership in the response team community; and assistance with the formation and development of computer security incident response teams (CSIRTs).
Before joining the CERT/CC, Carpenter was a systems analyst for the University of Pittsburgh, where he was responsible for many of the UNIX-based services provided by the computer center and was one of the architects of its distributed UNIX environment.
Carpenter regularly collaborates with and presents to a number of external organizations to help understand the current state of Internet security and to address current and future security problems facing the Internet.
Podcasts Featuring Jeff Carpenter: Tackling Security at the National Level: A Resource for LeadersBrian Contos has over a decade of real-world security engineering and management expertise developed in some of the most sensitive and mission-critical environments in the world. As ArcSight's CSO he advises government organizations and Global 1000s on security strategy related to Security Information and Event Management (SIEM) solutions while being an evangelist for the security space. He has delivered security-related presentations, white papers, webcasts, podcasts and most recently co-authored a book titled Physical and Logical Security Convergence. In 2006 he authored a book on insider threats titled - Enemy at the Water Cooler. He frequently appears in media outlets including: Forbes, The London Times, Computerworld, SC Magazine, InfoSecurity Magazine, ITDefense Magazine and the Sarbanes-Oxley Compliance Journal.
Mr. Contos has held management and engineering positions at Riptech, Lucent Bell Labs, Compaq Computers and the Defense Information Systems Agency (DISA). He has worked throughout North and South America, Western Europe, and Asia and holds a B.S. from the University of Arizona in addition to a number of industry and vendor certifications.
Podcasts Featuring Brian Contos: Convergence: Integrating Physical and IT Security
William P. Crowell is an Independent Consultant specializing in Information Technology, Security and Intelligence Systems. He also is a director and Chairman of Broadware Technologies, a video surveillance software company, a director of ArcSight, Inc., an enterprise security management software company, a director of Narus, a software company specializing in IP telecommunications Infrastructure software, a director at Ounce Labs, a software company specializing in source code vulnerability assessment tools and a director of RVison, a video surveillance technology company. In July 2003 he was appointed to the Unisys Corporate Security Advisory Board (now the Security Leadership Institute) to address emerging security issues and best practices. In September 2003 he joined the Advisory Board at ChoicePoint, a data aggregation company.
Crowell is an expert on network and information security issues. He has been quoted in many trade and business publications including the Wall Street Journal, BusinessWeek, USA Today, Information Week, Network World, Computer World, Federal Computer Week, CIO Magazine and the San Jose Mercury News. Crowell has also appeared on CBS MarketWatch, CNET News, CNBC and KNTV's Silicon Valley Business. He was the technical advisor to the TV series, "Threat Matrix" during its run on ABC in the 2003 season.
Podcasts Featuring William Crowell: Convergence: Integrating Physical and IT Security
Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), is a member of the Global Chief Security Officer Council and the editorial advisory board of SC Magazine. She was recently named one of Information SecurityMagazine's top five "Women of Vision" and is 2004 Fed100 award recipient from Federal Computer Week. She has served on the Defense Science Board and has recently been named to the Center for Strategic and International Studies Cyber Commission.
Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.
Podcasts Featuring Mary Ann Davidson: Developing Secure Software: Universities as Supply Chain PartnersScott Dynes is a Senior Research Fellow and Project Manager at the Center for Digital Strategies at the Tuck School of Business at Dartmouth College, Hanover, New Hampshire. His research interests include understanding how firms identify and manage the risks they face as a result of using the information infrastructure to enable business strategies and run business operations. He also studies critical infrastructure protection and the impact of government policy in managing the risk resulting from cyber events. Dynes holds a Ph.D. in physics from MIT.
Podcasts Featuring Scott Dynes: Business Resilience: A More Compelling Argument for Information Security
Inadvertent Data Disclosure on Peer-to-Peer NetworksPamela Fusco has accumulated over 20 years of substantial experience as an Information Security and Risk Management Professional. She has held positions as the Chief Security Officer for Merck & Co., Inc., Digex Inc, and MCI Security Solutions, and as Executive Vice President, Global Information Security, at Citigroup. She is currently Executive Director for Security Solutions at FishNet Security.
Fusco is certificated and accredited as a CISSP, CISM, CHS Level III, National Security Agency INFOSEC Assessment Methodology Auditor (AIM Auditor), National Cryptologic School Adjunct Faculty Certified Instructor (NSA/CSS/NCS), and has a MS in Information Management.
Podcasts Featuring Pamela Fusco: Real-World Security for Business LeadersBrian Gallagher is the Director of the SEI's Acquisition Support Program. He builds teams from across the Software Engineering Institute to support the needs of DoD and other government acquisition programs. Brian was previously employed with the Aerospace Corporation where he worked as a software acquisition and engineering advisor for several Air Force and NRO projects. During his Air Force career, he was the Deputy, Software Engineering with an Air Intelligence Agency remote site, Chief Engineer on the Range Operations Control Center Project at Cape Canaveral AFS, FL, a Software Project Manager for the Titan IV Program Office, and a Software En-gineer with Strategic Air Command. He received his B.S. in MIS from Peru State College, and M.S. in CS/Software Engineering from Florida Institute of Technology.
Podcasts Featuring Brian Gallagher: Becoming a Smart Buyer of SoftwareAs Corporate Privacy and Ethics Officer for Verispan, LLC, in Yardley, PA, Scot oversees enterprise-wide data protection and security. He is responsible for setting policy, employee and manager training, client awareness, privacy impact assessments, audit, and incident response management. Scot is responsible for Verispan's annual HIPAA privacy certification and serves as the leader for the Verispan Privacy Board, which is chartered to review all strategic plans and product development for privacy compliance. Scot also serves as the company Ethics Officer, responsible for all Code of Conduct-related operations. Scot has worked in the healthcare industry for 11 years. Scot received his Bachelor of Arts degree from Baylor University in Waco, Texas, and also holds the Certified Information Privacy Professional certification from the International Association of Privacy Professionals (IAPP). Scot is an active member of the CyLab Privacy Interest Group at Carnegie Mellon University, the Carolina Privacy Official Network and the Council on Data Protection at Quintiles Transnational Corporation.
Podcasts Featuring Scot Ganow: The Value of De-Identified Personal DataAs a Director of Trustworthy Computing Strategy & Risk Management for Microsoft, Kim Hargraves is responsible for the strategy and risk management program supporting such topics as privacy, accessibility and geopolitical intelligence. This includes developing and implementing global programs that enhance the privacy features of Microsoft products, services, processes and systems. Hargraves focuses on evaluating enterprise policies, risk management and corporate governance structures as they relate to privacy management and is also involved in analyzing technology policy areas such as Radio Frequency ID (RFID) as an advocate for strong privacy safeguards.
Previously, Hargraves managed the business/IT internal audit team at Microsoft, engaging in audit support initiatives to assess systems risk and performing audits across Microsoft's business units. Hargraves was responsible for providing integrated systems audit support services for operations audits, systems development and process reengineering. In addition, she developed a privacy assurance program to enhance Microsoft's ability to ensure compliance with related laws, regulations, corporate directives and best practices.
Prior to joining Microsoft, Hargraves held positions at PricewaterhouseCoopers related to security consulting and financial auditing. She also conducted financial analysis for Specialty Brands.
Hargraves is a member of the International Association of Privacy Professionals, the Institute of Internal Auditors and the Information Systems Audit and Control Association. She holds CIPP, CPA, and CISA certifications.
Podcasts Featuring Kim Hargraves: Protecting Information Privacy - How To and Lessons LearnedDr. Gary Hinson PhD MBA CISSP CISM CISA is an IT governance specialist with over two decades in information security, risk management and IT audit. Having been employed by large pharmaceuticals, utilities, engineering, IT and financial services companies, he has been consulting since the turn of the millennium. Gary is passionate about information security awareness and the ISO/IEC 27000-series information security management standards, contributing to the continued development of the ISO27k standards through Standards New Zealand.
Podcasts Featuring Gary Hinson: Getting in Front of Social EngineeringMike joined the Raleigh office of Womble Carlyle Sandridge & Rice, PLLC, on June 1 of this year after having practiced for 20 years at the Smith Anderson firm in Raleigh. Mike represents clients nationally in areas of privacy and data protection, including HIPAA, Gramm-Leach-Bliley, state privacy and data breach laws, PCI Security Standards, and CAN-SPAM. Mike co-authored the American Medical Association's HIPAA Policies and Procedures Desk Reference and Field Guide to HIPAA Implementation. Mike also co-authored a chapter in West's Health Law Handbook titled "De-identified Health Information: Legal and Practical Approaches to HIPAA Compliance." Governor Mike Easley appointed Mike to the North Carolina Medical Care Commission. Mike also is on the Board of the North Carolina Society of Health Care Attorneys and a co-founder of the Carolina Privacy Officials Network. Podcasts Featuring Scot Ganow: The Value of De-Identified Personal Data Steve Huth is the Deputy Director for Operations in the CERT Program and a Senior Member of the Technical Staff at Carnegie Mellon University's Software Engineering Institute (SEI). He has over 25 years of experience in software development, network design and management, information security, and technical and program management. Currently he is working with the Supreme Council of Information and Communication Technology in Qatar to develop Q-CERT and the GCC-CERT. Prior to joining the CERT Program, Huth was the SEI's IT Manager and the Data Network Manager for the University of Pittsburgh.
Podcasts Featuring Steve Huth: IT Infrastructure: Tips for Navigating the Tough SpotsNicholas Ianelli is a member of the technical staff at the Software Engineering Institute's CERT® Coordination (CERT/CC). Nick is an analyst on the CERT/CC's Artifact Analysis team researching malicious code. Prior to joining the CERT/CC, Nick worked as a network engineer at a national (US) Internet service provider.
Podcasts Featuring Nicholas Ianelli: Tackling The Growing Botnet ThreatM. Eric Johnson is Director of Tuck's Glassmeyer/McNamee Center for Digital Strategies and Professor of Operations Management at the Tuck School of Business, Dartmouth College. His teaching and research focuses on the impact of information technology on supply chain management. Through funding from the National Institute of Standards and Technology, Department of Justice, and the Department of Homeland Security, he is currently studying how information security and trust effect supply chain relationships. He has testified before the US Congress on information security and published recent articles on security and collaboration in the Financial Times, Sloan Management Review, IEEE Security and Privacy, and CIO Magazine. He holds a B.S. in Engineering, B.S. in Economics, an M.S. in Engineering and Operations Research from Penn State University, and a Ph.D. in Engineering from Stanford University.
Podcasts Featuring M. Eric Johnson: Inadvertent Data Disclosure on Peer-to-Peer NetworksSteve Kalinowski is a senior member of the technical staff and the manager of the CERT Infrastructure Group at the Software Engineering Institute (SEI). Working with a small cadre of professionals in information technology, Kalinowski is responsible for the evolution and operation of the CERT Program's information infrastructure. He also approves all core technical purchases and collaborates with the CERT director's office on management of program policy.
Previously, Kalinowski was a software developer on a team that designed and implemented the CERT Knowledgebase. Prior to joining the SEI, he was the UNIX computing services coordinator for the University of Pittsburgh. Early in his career, he was a software developer on products related to intelligent electronics troubleshooting and factory management systems.
Kalinowski holds an Information Security Management certificate and an MS in Public Management from Carnegie Mellon University and a BS in Computer Science from the University of Pittsburgh. He is a member of the Institute for Electrical and Electronic Engineers (IEEE), the Association of Computing Machinery (ACM), and USENIX/SAGE.
Podcasts Featuring Steve Kalinowski: IT Infrastructure: Tips for Navigating the Tough SpotsGeorgia Killcrece is a Member of the Technical Staff in the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI). She has over seventeen years direct experience within the CERT/CC in developing and transitioning best practices for developing effective incident response teams. Since 1999 Killcrece has led the CERT CSIRT Development Team within the CERT Program.
She takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide and has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. Her team is involved in developing products aimed at evaluating CSIRT capabilities that can be transitioned to the global incident response community.
Killcrece is internationally recognized as a leader in CSIRT development activities and has been a guest lecturer and invited speaker at numerous international conferences and government venues. She chaired the 2006 FIRST conference, an international forum representing over 180 government, academia, and industry response teams.
Killcrece manages and participates in the creation and delivery of a suite products targeted at creating, managing, and sustaining effective incident management practices, including technical reports, articles, public and on-site training, as well as facilitated workshops focused on CSIRT development. She is an author and contributor to a series of CSIRT documents that define best practice approaches for effective incident response. More information about the CSIRT Development Team is available on the CERT web site at http://www.cert.org/csirts/.
Killcrece can be reached directly by email at georgia@cert.org.
Podcasts Featuring Georgia Killcrece: The Real Secrets of Incident ManagementKelly Kimberland manages the SEI's media relations and analyst relations programs. In this role, she has successfully grown media coverage of the SEI, launched the Institute's first analyst relations program, developed and implemented PR campaigns, and is the project leader for this year's Annual Report. She provides consultation to senior executives on strategic messaging, facilitates press/analyst briefings, and conducts media relations training for new employees. Her professional background includes managing employee communications program, producing corporate magazines organizing events, and contributing articles to the Pittsburgh Post-Gazette and F.L. Primo Magazine. She has served on the Public Relations Society of America Pittsburgh Chapter Board of Directors for five years, most recently as the chapter's treasurer and National Assembly delegate. She is an adjunct instructor in advanced public and media relations at Duquesne University. She has a Bachelor of Arts degree from Washington and Jefferson College, a Master of Arts degree from Duquesne University, and most recently became Accredited in Public Relations from the Public Relations Society of America.
Podcasts Featuring Kelly Kimberland: Crisis Communications During a Security IncidentGene Kim is the CTO and founder of Tripwire, Inc. Since 1999, he has been studying high-performing IT operations and security organizations. In 2004, Kim co-founded the IT Process Institute, which is dedicated to research, benchmarking and developing prescriptive guidance for IT operations and security management and auditors. In 2004, he co-authored the "Visible Ops Handbook: Implementing ITIL in Four Practical And Auditable Steps" and was a principal investigator on the IT Controls Performance Study project, completed in 2006. He currently serves on the Advanced Technology Committee for the Institute of Internal Auditors. In 2005, he co-authored the IIA guide "Auditing Change and Patch Management Controls" and is part of the GAIT task force, which has created guidance on how to scope IT general controls for SOX-404. Podcasts Featuring Gene Kim: Connecting the Dots Between IT Operations and Security
Change Management: The Security 'X' FactorAfter serving in the U.S. Navy as Director of Computer-Aided Ship Design at the Bureau of Ships and Design Superintendent at the Pearl Harbor Naval Shipyard, Mr. Kreitner has for the past 36 years been President and CEO of two information technology companies, Response of Hawaii, Inc. and American Information Systems, Inc (1971-89), a number of hospitals (1989-2000), and since 2000, The Center for Internet Security.
From 1989-2000, he served as President and CEO of the Reading Rehabilitation Hospital and as President/CEO of the Southeastern Region of the Adventist Health System, with responsibility for seven acute care hospitals in four states. He served as a Board Member of the parent company and was Chairman of the Board of several of the hospitals.
Mr. Kreitner is the founding President and CEO of The Center for Internet Security. He earned an undergraduate degree from the U.S. Naval Academy and graduate degrees from Webb Institute and American University.
Podcasts Featuring Clint Kreitner: Reducing Security Costs with Standard Configurations: U.S. Government Initiatives
Getting to a Useful Set of Security MetricsDr. Barbara Laswell is the technical manager and director of the Practices, Development and Training group in the CERT Program at the Software Engineering Institute (SEI). Laswellks work focuses on enhancing the transition of cyber security knowledge through practices and training with the vision of creating an information assurance empowered global workforce. She manages training and education initiatives for organizations in the public and private sectors, both in the U.S. and internationally. Her current responsibilities include assisting organizations and nations in building computer security incident management capabilities and providing the Internet community with practices and methodologies for securing network-based and software intensive systems and for addressing known deficiencies in todays technology.
She manages the design, development, delivery, and evaluation of information assurance curricula for technical staff, managers, senior executives, and educators. Currently at the CERT Training and Education Lab, the team is creating a state-of-the-art virtual training environment to provide anytime, anywhere in-depth scenario-based training at the individual, team, and enterprise levels.
Laswell received her B.A. degree from the State University of New York at Albany, and M.A. and Ph.D. degrees from Stanford University. Her professional research interests focus on knowledge formation, problem-centered instructional design, the design and evaluation of education systems, and learning organizations. She is a member of the American Educational Research Association and the American Society for Training and Development.
Podcasts Featuring Barbara Laswell: Building Staff Competence in SecurityMartin Lindner is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI) and is focused on providing technical support and expertise to U.S. government agencies. In his previous role as the team leader for the incident handling, Lindner was responsible for overseeing and processing all the security incidents reported to the CERT/CC. Lindner worked with government agencies, other CSIRTs, vendors, ISPs and security experts to understand and limit the impact of malicious Internet activity.
Lindner lead the cyber investigation of the August 14, 2003 Northeast power outage and had a lead role in designing national and international cyber exercises including Livewire and Cyberstorm.
Prior to joining the SEI, Lindner worked at the University of Pittsburgh for 18 years, where he held numerous positions, including manager of desktop services and network manager. As the manager of desktop services, Lindner was responsible for all aspects of the PC desktop operations for the university. As the network manager, Lindner designed and implemented the tools used to control, manage, and study the university's network.
Lindner teaches Internet Security at the Carnegie Mellon University Heinz School.
Podcasts Featuring Martin Lindner: Proactive Remedies for Rising ThreatsThomas Longstaff is the Deputy Director for Technology in the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI). Longstaff has spent the past 12 years managing and initiating many of the CERT/CC's projects and initiatives such as the CERT Analysis Center, CERT Research Center, many survivability projects, and most recently Network Situational Awareness. His current scope of work includes evaluating technology across the entire NSS program to assure continued quality and innovation of all the work at CERT. Longstaff is responsible for strategic planning for the NSS program, technology scouting for promising avenues to address security problems, and operating as a point of contact between research projects at Carnegie Mellon University and the NSS program. Prior to coming to the Software Engineering Institute, Longstaff was the technical director at the Computer Incident Advisory Capability (CIAC) at Lawrence Livermore National Laboratory in Livermore, California. Longstaff obtained his M.S. in 1986 and Ph.D. from the University of California, Davis in 1992 in software environments, and his B.A. from Boston University in 1983 in Physics and Mathematics.
Longstaff's publications span topics such as security policy, information survivability, insider threat, intruder modeling, and intrusion detection. His awards include Best Paper in 1995 at the NCSC Conference and the Carnegie Mellon University Andy Award for Outstanding Innovation in 2000.
Podcasts Featuring Tom Longstaff: Evolving Business Models, Threats, and Technologies: A Conversation with CERT's Deputy Director for TechnologyStephanie Losi is a graduate of the Information Security Policy and Management program at Carnegie Mellon University in Pittsburgh, Pennsylvania. While at Carnegie Mellon, she worked with CERT's Practices, Development & Training team to develop security awareness training and policies for executives and information security personnel. In addition, Losi has authored online courses dealing with business ethics and served as managing editor of the E-Commerce Times. Her undergraduate degree is a B.S. in journalism from Northwestern University.
Podcasts Featuring Stephanie Losi: The ROI of SecurityPaul Love, CISSP, CISA, CISM, Security+, has been in the IT and Information Security field over 15 years. Paul holds a Masters of Science degree in Network Security and a Bachelors of Arts in Information Systems. He has recently co-authored Security Visible Ops as well as three other security and IT books, contributed to multiple Linux/Unix books, and has been the technical editor for over 10 Linux and Unix books with major publishers. Paul is currently the Director of Information Security at The Standard.
Podcasts Featuring Paul Love: Making Information Security Policy HappenArt Manion leads the Vulnerability Analysis Team at the CERT Coordination Center. Manion supervises technical analysis and interactions among vendors, researchers, and other parties on vulnerability coordination, response, and disclosure. He also researches new ways to manage and make decisions about vulnerabilities, economics of information security, vulnerability disclosure, and ways to improve software quality and security. In his previous position, Manion analyzed vulnerabilities and wrote Advisories, Alerts, and Vulnerability Notes for CERT/CC and US-CERT. Before joining CERT/CC, Manion was a system and network administrator at Juniata College.
Podcasts Featuring Art Manion: Managing Security Vulnerabilities Based on What Matters MostDavid Matthews is currently the Deputy Chief Information Security Officer for the City of Seattle. He has worked in the Information Technology field since 1992. He began working for the City of Seattle as the Technology Manager for the Legislative Department (City Council) in 1998. In early 2005 he was selected to be the first Deputy CISO for the City and has also served as Acting CISO.
He is a participant and leader in regional information security organizations. He is co-chair of the US-CERT/DHS sponsored North West Alliance for Cyber Security (NWACS) and an active participant in the Agora, Pacific CISO forum (PACISSO), Computer Technology Investigators Network (CTIN), ISSA, ISACA, InfraGuard and ISC2. He participates on the local Critical Infrastructure Protection sub-committee of the Regional Homeland Security team, and also works with a national infrastructure protection group The Infrastructure Security Partnership. He is the winner of the West Region Information Security Executive of the Year award for 2008.
Podcasts Featuring David Matthews: Integrating Security Incident Response and e-DiscoveryGary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Exploiting Online Games was released in 2007. His other titles include Java Security, Building Secure Software, Exploiting Software, and Software Security; and he is editor of the Addison-Wesley Software Security series.
Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White.
His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean¹s Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.
Podcasts Featuring Gary McGraw: How to Start a Secure Software Development ProgramNancy R. Mead is a senior member of the technical staff in the Survivable Systems Engineering Group, which is part of the CERT Program at the Software Engineering Institute (SEI). Mead is also a faculty member in the Master of Software Engineering and Master of Information Systems Management programs at Carnegie Mellon University. Her research interests are in the areas of information security, software requirements engineering, and software architectures.
Mead has more than 100 publications and invited presentations. She is a Fellow of the Institute of Electrical and Electronic Engineers, Inc. (IEEE) and the IEEE Computer Society and is also a member of the Association for Computing Machinery (ACM). Dr. Mead received her PhD in mathematics from the Polytechnic Institute of New York, and received a BA and an MS in mathematics from New York University.
Podcasts Featuring Nancy Mead: Identifying Software Security Requirements Early, Not After the FactSam Merrell is a member of the technical staff in the Networked Systems Survivability (NSS) Program at the Software Engineering Institute (SEI). The CERT® Coordination Center is also a part of this program.
As a part of the Survivable Enterprise Management Team, Merrell works with organizations to improve their information security management practices. This work has included FISMA compliance efforts and analysis of information security programs of Federal agencies. He is currently working on Critical Information Infrastructure Protection projects within the U.S. as well as internationally.
Prior to joining the SEI, Merrell spent seven years as the Information Technology Manager for a Pittsburgh-area community bank. Prior to that, he was an information technology consultant, primarily supporting the IBM AS/400. Merrell holds an undergraduate degree from the University of Pittsburgh and holds the CISSP certification as well as the SANS GGSC certificate.
Podcasts Featuring Sam Merrell: Initiating a Security Metrics Program: Key Points to ConsiderPatricia B. Morrison is executive vice president and chief information officer for Motorola. In this role, Morrison oversees all strategic, operational and financial aspects of the company's information technology architecture, systems, tools, processes and infrastructure. Patty joined Motorola in 2005 and has led an effort to build a global IT organization that delivers world-class IT value creation. In her first year, Motorola jumped from a #46 to a #12 ranking among the InformationWeek Top 500 IT innovators for 2006, and #1 in the manufacturing industry segment.
Morrison brings Motorola more than 20 years of systems and IT expertise in a wide variety of roles. Before joining Motorola in 2005, Morrison served as executive vice president and chief information officer of Office Depot, Inc., where she led the transformation of Office Depot's IT architecture and helped the company to achieve more than $100 million in efficiency improvements.
Prior to Office Depot, Morrison served as CIO of The Quaker Oats Company in Chicago. As CIO, Morrison oversaw Quaker's systems integration with PepsiCo following Pepsi's acquisition of Quaker Oats in 2001. She serves on the boards of the Chicago Symphony Orchestra, the Lyric Opera of Chicago and Jo-Ann Stores, Inc., where she chairs the board's governance committee.
Podcasts Featuring Patty Morrison: Dual Perspectives: A CIO's and CISO's Take on SecurityDr. Gregory Newby is Chief Scientist at the Arctic Region Supercomputing Center. His current research focuses on information retrieval and acceleration technology for high-performance computing. Newby has held faculty positions at the University of Illinois at Urbana-Champaign and the University of North Carolina at Chapel Hill. As an advocate for the creation and distribution of digital information, he has worked with Project Gutenberg for over a decade. He lives in the Two Rivers area of Fairbanks, Alaska with his wife, 28 dogs, and one cat.
Podcasts Featuring Greg Newby: The Human Side of Security Trade-OffsBetsy Nichols is a serial entrepreneur who has applied mathematics to develop solutions in satellite mission optimization, industrial process control, war gaming, economic modeling, enterprise systems and network management, and most recently security metrics. Prior to starting PlexLogic, Nichols founded two other software companies in the roles of CTO and VP Engineering. The first company, Digital Analysis Corporation (DAC), implemented network and systems management software. DAC was acquired by Legent Corporation. When Computer Associates acquired Legent, Nichols became one of two principal architects for Unicenter TNG. The DAC technology became the real-time agent infrastructure for Unicenter. In the time Nichols was at CA, Unicenter revenues grew from $50M to over $3B. The second company, ClearPoint Metrics, was the first company dedicated to implementing software products for automating the collection, calculation, and communication of security metrics.
Nichols is an author of five textbooks on microprocessor programming and interfacing as well as numerous articles in both the trade press and academic journals. Most recently, she was co-chair of the Metricon 2.0 Workshop and contributed to Andrew Jaquith's book Security Metrics - Replacing Fear, Uncertainty, and Doubt. Nichols graduated with an A.B. from Vassar College and a Ph.D. in mathematics from Duke University.
Podcasts Featuring Betsy Nichols: Building a Security Metrics Program | Using Benchmarks to Make Better Security DecisionsRichard Nolan is a member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT® Coordination Center is a part of this program.
Currently, Nolan serves as an internet forensic specialist. In addition to his work in network forensics, Nolan develops best practices for administering and securing information systems and networks. He also develops SEI training courses.
Prior to joining the SEI, Nolan served for seven years as a special agent with the United States Department of Justice. While there, he conducted numerous internet-based investigations and executed dozens of federal search warrants at U.S. internet service providers.
Nolan holds a BS and MS in Education from Duquesne University. He is also a graduate of the FBI Academy and a member of the Federal Law Enforcement Officers Association. Nolans publications include Advanced Information Assurance for Technical Staff: a Forensic Guide to Incident Response for Technical Staff.
Podcasts Featuring Richard Nolan: Computer Forensics for Business Leaders: A PrimerRichard Pethia is the Director of the CERT® Program at Carnegie Mellon Universitys Software Engineering Institute (SEI). The program conducts research and development activities to produce t technology and systems management practices that help organizations recognize, resist, and recover from attacks on networked systems. The programs CERT Coordination Center (CERT/CC) has formed a partnership with the Department of Homeland Security to provide a national cyber security system, US-CERT. Pethia is also a co-director of Carnegie Mellon Universitys CyLab. CyLab is a public/private partnership to develop new technologies for measurable, available, secure, trustworthy, and sustainable computing and communications systems. This university-wide, multidisciplinary initiative involves more than 200 faculty, students, and staff at Carnegie Mellon.
Podcasts Featuring Richard Pethia: CERT Lessons Learned: A Conversation with Rich Pethia, Director of CERTWilliam Pollak is a senior writer/editor, member of the technical staff, and Manager of Communications at the Software Engineering Institute at Carnegie Mellon University. The SEI Communications department includes public and media relations, technical writing and editing, communication design, and web publishing and design.
Pollak received his MA in professional writing from Carnegie Mellon in 1991. He is a member of the adjunct faculty in the Carnegie Mellon English Department, where he teaches Marketing, Public Relations, and Corporate Communications.
Lawrence R. Rogers is a senior member of the technical staff in the CERT Program (also the home of the CERT Coordination Center). He has been writing articles for the non-computer professional for several years (see http://www.cert.org/homeusers/) and was the chief architect and main contributor to the CERT Survivability and Information Assurance (SIA) Curriculum (see http://www.cert.org/sia for more information). CERT/CC is part of Carnegie Mellons Software Engineering Institute, a federally funded research and development center located in Pittsburgh, PA.
Podcasts Featuring Larry Rogers: A New Look at the Business of IT EducationRobin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute (SEI) at Carnegie Mellon University. Ruefles focus is on the development of management, procedural, and t technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CSIRT Development Team, Ruefle develops and delivers courses for CSIRT managers and incident handling staff. Ruefle has co-authored: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services List, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, and numerous other articles and guides.
She is currently working with the rest of the CSIRT Development Team on developing a methodology for assessing CSIRT and incident management operations. As part of this work she co-authorized the beta version of the Federal Computer Network Defense (CND) Metrics. The Federal CND Metrics are being developed to provide federal, state, and local agencies with a method for evaluating the effectiveness of an agencys incident management or CSIRT capability (focusing on the Protect, Detect, Respond, and Sustain functions).
Ruefle received a BS in political science and an MPIA (Master of Public and International Affairs) from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the both the Continuing Education and MBA programs at Chatham College and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh.
Podcasts Featuring Robin Ruefle: The Real Secrets of Incident ManagementKristopher Rush is a member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program.
Before joining the SEI, Kristopher worked with the United States Department of State as a member of the Antiterrorism Assistance Program. During this time he developed and taught courses relating to terrorism and cyber crime to foreign military and police.
Rush received a BA in Cultural Anthropology from the University of Florida and an MS in Information Security Policy and Management from the H. John Heinz III, School of Public Policy and Management, Carnegie Mellon University. He is the co-author of several SEI publications including the First Responders Guide to Computer Forensics: Advanced (CMU/SEI-2005-HB-003) and Defense-in-Depth: Foundations for Secure and Resilient Enterprises (CMU/SEI-2006-HB-003)
Podcasts Featuring Kristopher Rush: Inside Defense-in-DepthThomas J. Smedinghoff is a partner in the Privacy, Data Security, and Information Law Practice at the law firm of Wildman Harrold in Chicago. His practice focuses on the developing field of information law and electronic business activities, with an emphasis on electronic transactions, information security and privacy issues, and the corporate use and management of information generally. Mr. Smedinghoff has been actively involved in developing e-business and information legal policy both in the U.S. and globally. He currently serves as a member of the U.S. Delegation to the United Nations Commission on International Trade Law (UNCITRAL), where he participates in the Working Group on Electronic Commerce and recently completed negotiation of an international treaty titled the United Nations Convention on the Use of Electronic Communications in International Contracts.
He chaired the Illinois Commission on Electronic Commerce and Crime, and drafted the Illinois Electronic Commerce Security Act enacted in 1998. He served as an advisor to the National Conference of Commissioners on Uniform State Laws (NCCUSL) and participated in drafting the Uniform Electronic Transactions Act (UETA).
Mr. Smedinghoff chairs the International Policy Coordinating Committee of the American Bar Association (ABA) Section of Science & Technology Law, and previously was chair of the ABA Electronic Commerce Division and chair of the ABA Section of Science & Technology Law. He is the editor and primary author of the e-commerce book Online Law: The SPA's Legal Guide to Doing Business on the Internet.
Podcasts Featuring Tom Smedinghoff: Information Compliance: A Growing Challenge for Business LeadersDan Swanson, CIA, CMA, CISA, CISSP, CAP, is President and CEO of Dan Swanson and Associates. He is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors (IIA). As an independent audit consultant, Dan has completed audit projects for many government, federal, and private sector organizations. Presently, Dan is a Compliance Week columnist and has a monthly column with IT Compliance Institute.
Swanson recently led the writing of the Open Compliance and Ethics Group (OCEG) internal audit guide (IAG) for use in audits of compliance & ethics programs (www.oceg.org) and participated in the COSO small business task force efforts to provide guidance for smaller public companies regarding internal control over financial reporting (www.coso.org).
The author of more than 100 articles on internal auditing and numerous other management topics, Swanson is currently an independent management consultant, a freelance writer, and monthly columnist for Compliance Week.
Podcasts Featuring Dan Swanson: Internal Audit's Role in Information Security: An IntroductionCal Waits is a member of the Forensic Team in the Networked Systems Survivability Program at the Software Engineering Institute.
In addition to developing digital forensic training material for law enforcement and intelligence agencies, Cal's research focuses on emerging trends in the forensic field and tool development.
Before joining the SEI, Mr. Waits worked for the National Security Agency. He holds a MS degree in Information Security from Carnegie Mellon University.
Podcasts Featuring Cal Waits: Computer Forensics for Business Leaders: Building Robust Policies and ProcessesDrawing upon a unique combination of more than twenty years of technical, legal, policy, and business experience, Ms. Westby provides consulting and legal services to public and private sector clients around the world in the areas of privacy, security, outsourcing risk management, business continuity, and technology compliance issues. She also serves as Adjunct Distinguished Fellow for Carnegie Mellon CyLab. Prior to forming Global Cyber Risk, Ms. Westby served as senior managing director for PricewaterhouseCoopers (PwC), specializing in outsourcing and cyber security/privacy issues.
Before that, she was president of The Work-IT Group; launched In-Q-Tel, an IT venture capital/solutions company for the CIA; served as director of domestic policy for the U.S. Chamber of Commerce; was senior fellow and director of IT studies for the Progress & Freedom Foundation; practiced law with two top-tier New York firms; and spent ten years in the computer industry specializing in database management systems.
Jody is a member of the bars of the District of Columbia, Pennsylvania, and Colorado and serves as chair of the American Bar Associations Privacy and Computer Crime Committee. She is a member of the World Federation of Scientists Permanent Monitoring Panel on Information Security and represents the ABA on the National Conference of Lawyers and Scientists. She is co-author and editor of four books on privacy, security, cybercrime, and enterprise security programs. She speaks globally and is the author of numerous articles. B.A., summa cum laude, University of Tulsa; J.D., magna cum laude, Georgetown University Law Center; Order of the Coif. You can email Ms. Westby at: westby at mindspring dot com.
Podcasts Featuring Jody Westby: The Legal Side of Global SecurityBradford Willke is a senior member of the technical staff within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University. Willke is responsible for leading the Information Security Assessment and Evaluation team, and conducts research, development, and process improvement activities in risk, threat, and vulnerability management methodology related to information security management. Willke also leads projects to develop strategies and provide support for national and international critical infrastructure protection initiatives. In addition, he worked on the development of the SEI’s principle risk assessment methodology, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE™) Method.
Before joining the SEI, Willke managed technology and security operations for computing resources of the 90th Security Police Squadron, Francis E. Warren Air Force Base, Wyoming. Willke served in the United States Air Force as a law enforcement specialist and organizational computer security officer from 1993-1997.
Willke holds a professional certificate in information protection and security from the University of New Haven, and received a BS in information systems technologies from Southern Illinois University at Carbondale. He received an AAS in criminal justice from the Community College of the Air Force, and has been a Certified Information System Security Professional (CISSP) since 2004.
Podcasts Featuring Bradford Willke: Managing Risk to Critical Infrastructures at the National LevelWilliam Wilson is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). The CERT® Coordination Center is a part of this program.
As the technical manager of the Survivable Enterprise Management Group, Bill is responsible for the development and transition of methods and techniques that assist organizations in enterprise security management and the identification, analysis, mitigation, and management of information security risks.
Before joining the SEI, Bill served as the technical director of the National Security Agency's Software Engineering Center. During his more than twelve years at the NSA, Wilson held positions in software development and acquisition, systems engineering, and technical project management.
Bill holds a bachelor's degree in computer science from the Pennsylvania State University and a master's degree in computer systems management from the University of Maryland.
Podcasts Featuring Bill Wilson: Using Standards to Build an Information Security Program | The Path from Information Security Risk Assessment to ComplianceAs an IT risk management consultant, Jan Wolynski, provides security and privacy expertise at the executive level for both public and private organizations. Jan is a former 25 year operational member of the Royal Canadian Mounted Police (RCMP) and possesses over 25 years experience in information security. His current role is focused on risk management, privacy, and IT governance.
Jan is very familiar with objectives and controls required for the aspects of IT and business processes. He has used the CobIT control framework and been involved in controls assessments for clients requiring regulatory certification as to their adequacy of internal controls over financial reporting. In addition, he is considered a subject matter expert with respect to risk assessment methodologies, including, BS 7799-3:2006, RCMP/CSE, OCTAVE, IRAM and AS/NZS 4360.
Jan has previously held senior manager and director positions with Deloitte LLP Enterprise Risk Services and PricewaterhouseCoopers LLP Advisory Services. He was PricewaterhouseCoopers Canada’s most senior security practitioner and privacy leader. He currently consults with IBM's Security and Privacy Practice.
Podcasts Featuring Jan Wolynski: Virtual Communities: Risks and OpportunitiesLisa Young, senior member of the technical staff with the Software Engineering Institute of Carnegie Mellon University, has 20+ years of experience in the information technology and telecommunications industry. She holds the designation of Certified Information Systems Auditor (CISA), Certified Information Systems Security Professional (CISSP) and is experienced in IT governance, information audit and security, and risk management.
Ms. Young teaches the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) risk-based security assessment methodology at the Software Engineering Institute. Her current line of research provides guidelines for improving the way organizations manage the processes of security, IT Operations, business continuity, compliance, and audit to support the organization's mission and critical success factors.
Podcasts Featuring Lisa Young: Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity | Security Risk Assessment Using OCTAVE® Allegro
