Industry pioneers

Share this article:
1109 pioneers Karen Evans
1109 pioneers Karen Evans

There have been countless professionals who have helped shape the information security industry – whether through regulations, technological innovation, policy and standards creation and more. This is our (alphabetical) list of just some of those individuals who played crucial roles over these last 20 years.


Richard Clarke
former special adviser to the president on cybersecurity (or, as he widely was referred, the federal cybersecurity czar) and current chairman of Good Harbor Consulting, a corporate risk management firm, as well as adjunct lecturer at the Harvard Kennedy School and fiction author, writing The Scorpion's Gate in 2005 and Breakpoint in 2007

“If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.”

Clarke worked for more than 30 years for the federal government – a long-running career spanning Democratic and Republic administrations that ended in 2003 and was followed by some controversy when he testified before the 9/11 Commission in 2004 based on his role as counter-terrorism czar with the Clinton and Bush administrations. Though most well-known for his testimony before the Commission and his opinions in a memoir, Against All Enemies, that criticized the Bush Administration for the war in Iraq, its inaction against terrorist threats prior to 9/11 and more, Clarke was and still is a critical champion for information security issues in both the public and private sectors. Clarke, as special adviser to the president on cybersecurity, spent his last year in the Bush Administration focusing on cybersecurity and the threat of what he often called “a digital Pearl Harbor” against the country's critical infrastructure. He also called out the importance that vendors played in addressing the prevalent vulnerabilities in the software on which government and private organizations have come to rely. In a 2005 SC Magazine cover story, Clarke noted his answer to a question a friend would often pose. Friend: “What if the U.S. is attacked and we didn't know it?” Clarke: “Because the country does not have a synoptic view of what is actually happening on systems comprising the critical infrastructure, different hacks could be happening in banking, chemical, transportation and other industries. And it's likely we wouldn't know it at all until major failures began because there's no adequate data sharing at any meaningful level.”


Whitfield Diffie and Martin Hellman
Diffie is chief security officer, Sun Microsystems; Hellman is professor emeritus of electrical engineering, Stanford University

I thought cryptography was a technique that did not require your trusting other people...” – Whitfield Diffie

Hellman and Diffie introduced a new method of distributing cryptographic keys, which became known as the Diffie-Hellman key exchange. The technology is actually a protocol that enables two parties to establish a shared key over an insecure communications channel. The two men also, in turn, stimulated development of a new class of widely used encryption technology, known as asymmetric key algorithms. The development marked a radical change in what previously seemed to be an intractable problem. The technology they spawned now underlies secure communications systems throughout the world.


Karen Evans
former administrator of the Office of Electronic Government and Information Technology at the Office of Management and Budget (OMB); current partner with KE&T Partner, LLC, an IT advisory services company

“There is a sound foundation in place for the next administration to build on and move forward with the next generation of e-government services.”

Before she took on the role of leading the information technology office in OMB, a move which garnered her the unofficial title of CIO for the federal government, Evans was the official CIO of the Department of Energy and the director of the Information Resources Management Division for the Office of Justice Programs in the Department of Justice. No doubt, these two roles prepared her mightily for her OMB gig, where she was tasked with rallying agencies to streamline and secure their IT infrastructures. She did just this by setting and enforcing government-wide standards that called for, among a whole host of requirements, written data breach notification policies, the implementation of Federal Desktop Core Configurations (FDCC) to establish baseline levels of security to reduce risk, minimum levels of security certifications and accreditations for IT government workers, and much, much more. All told, she had some 25 years in federal government when she left at the start of this year. The impact of her tenure, especially the work she undertook while at the OMB, likely will be felt for many more years to come.


Dan Geer
CISO, In-Q-Tel

“The data, at this point, is where the value is.”

Geer is, above all else, a thinker and a visionary, not a corporate soldier. So it should have come as no surprise when he was fired in 2003 from his job as CTO at consulting company @stake for suggesting in a report that the ubiquity of Microsoft software creates a monoculture, thus endangering national security. (Microsoft was one of @stake's clients). Geer, an MIT alum, took the firing in stride and moved on to new pastures where he could continue to impart his risk management wisdom. His most recent cause came while chief scientist at DLP provider Verdasys. Geer wrote Economics and Strategies of Data Security, which used metrics to justify how data security is fundamentally critical to today's businesses, many of which still consider perimeter protection the top priority.


John Gilligan
former CIO of the U.S. Air Force and current president of Gilligan Group, an IT services company

“The industry is taking seriously its obligation to improve quality.”

When Gilligan found that the Air Force was spending more money on patching the systems on which it was relying than on the software itself, he decided something had to be done. So when he began talking to Microsoft CEO Steve Ballmer back in 2003 about consolidating some 38 software contracts and nine support contracts with the vendor, he required that the company make security a priority. The multi-year, approximately $500 million deal resulted in about four standard configurations that enforced strict security policies for all of Microsoft's desktop and server software and required all Air Force personnel to use the standard settings to obtain network access. The deal, at the time, was ground-breaking and was the impetus behind some of the purchasing and security standards which all federal government agencies now must follow.


Shawn Henry
assistant director of the FBI's Cyber Division

“The business of the United States is done on the internet.”

Henry began his career at the FBI in 1989 as a special agent where he focused primarily on public corruption matters. It was in 1999, when he was appointed chief of the computer investigations unit within the National Infrastructure Protection Center at the FBI, that his career in cybersecurity started rolling. As part of his responsibilities in criminal computer intrusion matters, he was appointed a representative for the U.S. delegation to the G8 as a member of the cybercrime subgroup. Further promotions and assignments led in 2007 to being named deputy assistant director of the FBI's cyber division, with program management responsibility for all FBI computer investigations worldwide. In September 2008, he was promoted to assistant director of the FBI's Cyber Division.


William Kovacic
commissioner, Federal Trade Commission

“Steep fines are nice, but one of the best weapons against spyware purveyors is locking them up.”

Kovacic told senators in April 2007 that most wrongdoers in the spyware arena, “can only be described as vicious organized criminals.” In a reasoned explication that heralded the accomplishments and effectiveness of the FTC, on which he's served since January 2006 – as general counsel from 2001 through 2004, as chairman from March 2008 until March 2009, and currently as commissioner – Kovacic made his case by citing the work that the agency has done to collaborate on its cases with criminal law enforcement authorities. Whether making clearly reasoned arguments to legislative leaders for stronger penalties against cybercriminals, bolstering consumer confidence in e-commerce, upgrading policy and statutes for investigation and cooperation between agencies and nations or deterring fraudulent activity on the web, Kovacic has been a strong leader in the struggle for justice in the fairly new realm of the web, as well as an adviser on antitrust and consumer protection issues to a number of foreign governments.


Gordon Lyon (aka Fyodor)
VP, Computer Professionals for Social Responsibility

“The passionate user community is the only reason Nmap has existed and been maintained...”

Lyon developed Nmap (Network Mapper), an open source platform for network exploration or security auditing. Nmap uses IP packets to enumerate hosts available on a network. It can also determine services available on those hosts, which operating systems and versions they are running, which type of packet filters or firewalls are in use, as well as other network characteristics. The tool has become a fundamental system for security professionals worldwide. He went on to become president of Computer Professionals for Social Responsibility, which promotes the appropriate use of computer technology.


Richard Marshall
senior information assurance representative, office of legislative affairs, National Security Agency

“If we don't do something in the near term, there won't be a long term.”

Prior to his current role, when associate general counsel at the NSA, Marshall gathered together disparate organizations in a concerted effort to test national security telecommunications and technology transfer policies and programs. He was the legal architect for Eligible Receiver 97‚ an exercise directed by the Joint Chiefs of Staff, that brought attention to many of the nation's cyber vulnerabilities. He is acknowledged as one of the prime advocates for private/public partnerships in information assurance and business continuity practices and technology.


Jeff Moss
member of the Department of Homeland Security Advisory Council; founder of Black Hat and DefCon

“I have no trouble speaking truth to power.”

As a former hacker, Moss (aka “Dark Tangent”) was probably one of the most unlikely candidates to be appointed to the Homeland Security Advisory Council. But, as the founder of two of the world's most important information security conferences – Black Hat and DefCon – Moss' qualifications are undeniable. His conferences have helped bring together the underground research community and law enforcement, and have aided in fueling the ongoing debate over responsible disclosure of vulnerabilities. As a leading voice in the information security world, Moss frequently speaks at industry events and is quoted in the mainstream media, but says he's still “constantly reading, learning and discussing.” In his newest role on the DHS Advisory Board, Moss will provide recommendations directly to DHS Secretary Janet Napolitano, further illustrating that some in the hacker community can contribute to the public good.


Former Rep. Michael Oxley, R-Ohio; and former Sen. Paul Sarbanes, D-Md.

"I think it's worked well.” – Sen. Sarbanes discussing the legislation he co-authored.

The phrase is mentioned so often in the information security compliance arena that it is easy to forget that Sarbanes-Oxley refers to two living, breathing people. The 2002 bill that bears the name of the retired lawmakers was designed to crack down on financial improprieties at public companies, fueled by the scandals at now-defunct firms such as Enron and WorldCom.

But its legacy for the information security marketplace may be the controls needed to meet the letter of the law. The Sarbanes-Oxley Act of 2002 helped drive IT security projects by baiting CEOs to act with the threat of fines and prison terms. While the law continues to face criticism by some who believe it has led to onerous amounts of work and unnecessary costs, it served as a defining moment for Sarbanes' and Oxley's legislative careers. Few can dispute that the law ushered in an era of risk management and governance that will serve as a foundation for corporate accountability for generations to come.


Kimberly Kiefer Peretti
senior counsel in the computer crime and intellectual property section of the U.S. Department of Justice

“We've gone from card farms to card resellers to international hackers.”

One of the world's foremost authorities on data breaches, Kiefer Peretti is not only a much-in-demand speaker at conferences and forums, but a prosecutor on headline-making trials involving the theft of personally identifiable information, such as the recent case indicting Albert Gonzalez and co-conspirators on charges of hacking credit card networks of major retailers. She was co-lead prosecutor in Operation Firewall, a Secret Service investigation into “Shadowcrew,” which resulted in the arrest of 28 people across the United States, Europe and Russia. The bust, she said, served as a huge deterrent because investigators wiped out the criminal hacker network.


Marcus Ranum
CSO, Tenable Network Security

“I like to think of myself as a filter for good ideas.”

The firewall was really born on a day in 1986 when Ranum, then a network administrator at Johns Hopkins University, noticed something strange: Someone was able gain access to an MRI machine via a Sun Workstation default configuration. Nothing malicious happened, but Ranum knew right then that big problems weren't far off. “People were connecting to the internet and they had no idea what they were doing,” he recalls. Not long after, he built the first commercial-grade firewall for Digital Equipment Corp. and later, the White House. A few years later, he was among the first to market intrusion detection systems. “A lot of my career has consisted of moving ideas from the research world into the commercial world,” says Ranum, who turns 47 this month. “I like to think of myself as a filter for good ideas.” But don't count on any new inventions from him. Today's development tools lead to too many bugs: “I'm still using coding models from the early 80s,” he says.


Howard Schmidt
president and CEO, R & H Security Consulting

“The whole idea of information security has seen dramatic changes over the past five years – it used to be about technology and now it is about data.”

One of the most recognized names in the information security field, Schmidt's career spans 40 years, including stints at the highest levels of government advising presidents on cybersecurity, and as the CISO or CSO at large corporations, including eBay and Microsoft, where he is credited with co-founding the Trustworthy Computing Security Strategies Group. Prior, he pioneered computer forensic initiatives in the U.S. Air Force, FBI and local law enforcement. He's been a leading presence on a number of associations, including ISSA, ITISAC, the International Organization of Computer Evidence, and the Federal Computer Investigations Committee, as well as the American Academy of Forensic Scientists, and the CyberCrime Advisory Board of the National White Collar Crime Center. He is a go-to guy for cybersecurity expertise, being regularly featured in the media worldwide and is the author of several books and articles.


Bruce Schneier
chief security technology officer, BT; cryptographer and author

“If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.”

Arguably the leading U.S. cryptologist, Schneier is best known for developing numerous encryption algorithms, including Blowfish, which is freely available and currently used in 150 products, and Twofish. He made these public in his books Applied Cryptography and Practical Cryptography, and has presented the highly technical topic of cryptography in a readable way, educating programmers about how to build security into networks and applications. Also one of the most prominent and outspoken bloggers in the information security world, Schneier is known for his candid commentary, often challenfing the conventional wisdom. He's frequently quoted in mainstream media publications, has testified before Congress numerous times, and is the author of several best-selling publications.

 


Winn Schwartau
founder of The Security Awareness Co., SCIPP International and InfowarCon; information security educator/speaker/trainer/author

“My career has been about awareness and getting people to think about things that they don't have to think about.”

Having spent a lengthy career educating the masses on cyberwarfare and internet privacy, Schwartau has truly earned his nickname, the “civilian architect of information warfare.” It's a moniker that's stuck because he was the first person to introduce the concept of infowar to the public in his 1991 nonfiction book Information Warfare: Chaos on the Electronic Superhighway (Thunder's Mouth Press). Just a sampling of his other notable achievements include founding InfowarCon, a leading conference of information warfare, and SCIPP International, a nonprofit global security awareness certification organization. Schwartau's biggest achievement, though, is the consciousness for information security issues he's fostered throughout both the public and private sectors.


State Sen. Joe Simitian
D-Cal.

“I'm surprised as well as disappointed by the governor's veto...” – Simitian referring to California Governor Arnold Schwarzenegger's veto of SB 20 last month.

For the last nine years, Simitian has sponsored a contest known as “Oughta be a Law,” which invites residents to suggest ideas for state laws. But it was a piece of legislation that Simitian authored himself in 2002 that generated the 56-year-old critical acclaim within information security circles. AB-700, which became SB-1386, was the nation's first data breach notification law. Since its passage in 2003, some 45 other states have followed suit. In the law's wake, hundreds of millions of Americans have been notified that their personal information was exposed. It also prompted countless organizations to consider cybersecurity as a business priority. Simitian, who in 2007 accepted the “True Patriot” award from the American Civil Liberties Union, continues to use his legislative powers to improve privacy. This year, he authored SB-20, a follow-up to SB-1386 that requires breached entities to provide specific information, including a description of the incident, in notification letters to victims. However, the bill was vetoed last month by California Governor Arnold Schwarzenegger.


Richard Stiennon
industry consultant

“Intrusion detection systems are a market failure...”

Stiennon is widely known for his statement: “IDS is dead,” though he did not say it in precisely that way. He said, rather, that IDS was “a market failure” in reference to shortcomings he identified in products in the market while VP of research at Gartner. He challenged vendors to address those failings. In 2003, intrusion detection systems were a nascent sector of the security industry, yet held out hope for a market flooded with emerging threats. New systems promised to stem the tide of attacks by preventing unauthorized entry into corporate networks. That year, Stiennon published research that said that the market as a whole had not lived up to its promise and that vendors had failed to provide value relative to the cost of deploying IDS. Because of that, he predicted that IDS would be obsolete in two years. Shortly after this, he moved on to positions at Fortinet and Webroot, and then eventually founded his own company, IT-Harvest, where he is the current chief research analyst.


Amit Yoran
chairman and CEO of NetWitness; public policy advocate

“When information remains classified, the government's ability to work with the private sector is really hampered.”

If Congress is discussing cybersecurity issues, Amit Yoran is probably on the witness stand. Yoran regularly advocates for government investment in cybersecurity research and development efforts, public and private collaboration, and reform of national information security systems. No stranger to government, Yoran was the first director of the National Cyber Security Division of the Department of Homeland Security (DHS), as well as the former director of the United States Computer Emergency Readiness Team (US-CERT), where he headed up the Einstein program at the DHS to improve the federal government's cybercecurity posture. Yoran is helping to bridge the gap between the public and private sectors, having held executive roles at a number of security firms.


Phil Zimmermann
adviser and consultant, PGP; created email encryption software Pretty Good Privacy (PGP)

“It's personal. It's private. And it's no one's business but yours.”

Businesses today rely on encryption to protect what's been referred to as the new currency of business – their information. But without the heralded cryptographer Phil Zimmermann, this technology might not have been available at all. In 1991, Zimmermann came out with the first mainstream email encryption software, Pretty Good Privacy (PGP), and as a result found himself in the middle of a criminal investigation as to whether he had violated U.S. export restrictions on cryptographic software. The three-year investigation was eventually dropped and Zimmermann was touted by some as a hero of the internet for having fought for consumers who are now able to freely use this technology. More recently, Zimmermann undertook an effort to bring the same level of privacy to internet phone calls and developed secure VoIP media encryption software.

Share this article:
close

Next Article in Features

Sign up to our newsletters

More in Features

Know your friends: Partnering with the right allies

Know your friends: Partnering with the right allies

Choosing the right allies to ensure security requirements is a challenge for businesses both large and small, reports James Hale.

Bad reputation: Annual guarding against a data breach survey

Bad reputation: Annual guarding against a data breach ...

Will recent high-profile cyber attacks spur stronger security and improved risk management? The consensus from our data breach survey indicates: Yes, reports Teri Robinson.

Network Rx: Health care security

Network Rx: Health care security

With the addition of 15,000 mobile devices accessing its network, a medical center found assurance - and met compliance mandates, reports Greg Masters.