These eight exceptional women were chosen as Women of Influence for their laudable efforts in improving and advancing information security and privacy.
The Women of Influence profiles may be viewed through the links above or by paging through the numbers below.
Malita Barkataki, privacy compliance director, Yahoo
Malita Barkataki has been as the forefront of Yahoo’s efforts to develop an internal framework that ensures that the company remains compliant regarding users’ private data.
Her role is an unenviable one: The international dispute involving the transfer of data has stoked anxieties among companies disturbed by the prospect of getting caught in the crosshairs – especially among technology companies like Yahoo, where data is the center of everything the company does.
Ever since the European Court of Justice’s landmark decision last October that invalidated the Safe Harbor agreement, global businesses have found themselves in the compromised position of attempting to stay compliant throughout a period of great uncertainty.
Her efforts have centered on “model contractual clauses,” a mechanism that enables international transfer of personal data. She identified the appropriate legal mechanism for Yahoo and was instrumental in managing its implementation. The scope of the roll-out extended far beyond typical compliance projects and brought together legal, security, public policy, operations and engineering to a successful transition. “It was a multidisciplinary project,” she says, speaking with SC Magazine.
The most carefully planned privacy programs must begin with training and education initiatives. “A privacy program is only effective if your employees know about it,” she says.
There is little room for error in implementing compliance protocol in situations such as cross-Atlantic data transfer, as was demonstrated by a German regulator’s decision in June to fine Unilever, Adobe and a subsidiary of PepsiCo for failing to implement an alternative data transfer mechanism after the three-month grace period that followed Safe Harbor expired.
Barkataki strives to “manage privacy holistically,” with consistent policies and implementation across the organization. It’s a goal that she says can be a challenge considering that Yahoo operates in different regions. It usually means using the highest bar of privacy across the organization. “Europeans have a very high standard of privacy,” she says, noting a regulatory shift to hold non-European companies to the same privacy standards.
She is especially excited about Yahoo’s “privacy by design” program, which attempts to proactively bake privacy concerns early into the development of new products and initiatives. When Barkataki joined Yahoo in 2013 – after working at Ernst & Young for nearly a decade – the company’s focus on privacy by design principles was a motivating factor that helped convince her to accept the position.
In her consulting work with technology, health care and energy companies while at Ernst & Young, she noticed that some companies were more motivated than others to seriously address privacy by design issues. “This is an issue that less mature companies struggle with,” she says.
While Yahoo’s initiative had already been built when she joined Yahoo, she helped automate and create metrics to measure its success, applying the engineering axiom that “what gets measured gets managed.”
She views Ontario’s former information and privacy commissioner Ann Cavoukian as a strong influence that informed her career. Cavoukian played an important role in popularizing the term privacy by design. “It wasn’t a concept that a lot companies really understood,” Barkataki says.
She strives to ensure that Yahoo is promoting and supporting privacy across the organization. It’s important to “maintain privacy the way our users would expect of us,” she says. – Jeremy Seth Davis
Michelle Finneran Dennedy, VP and chief privacy officer, Cisco Systems
Don’t be fooled by Michelle Finneran Dennedy’s irreverent sense of humor – she takes privacy very seriously.
The new VP and chief privacy officer at Cisco Systems, who previously held the same title at McAfee/Intel Security for four years, has in the past urged conference attendees to treat their passwords like panties: “Make them exotic, keep them secret and, for God’s sake, change them from time to time; that’s disgusting!”
There is wisdom in her wisecracks, especially in today’s digital climate, where debates rage over whether companies should grant government agencies backdoors to bypass encryption, whether investigators can collect certain metadata or electronic communications without a warrant, and if passwords should go the way of the dinosaur and be replaced with something stronger.
“Data privacy and security, when combined rather than set as false competitors, can be powerful forces for innovations such as digitized warranting requests or appropriate cloaking of innocent bystander information,” Dennedy told SC Magazine. “We just do not have a global standard for any of these issues as of yet, but… these are the macro issues of our age. They are not without a solution, but they are worthy of extensive debate, creativity and a healthy dose of humility from all sectors.”
Cisco hasn’t exactly sat on the sidelines during these debates. In May 2016, the San Francisco-based networking equipment company joined other Silicon Valley firms to meet with the Members in the European Parliament (MEPs) responsible for looking over the new Privacy Shield arrangement between the U.S. and the European Commission. Also in May, Cisco joined other companies in urging the U.S. Senate to pass, without any further changes, the Email Privacy Act, which would change current law to require government investigators to get a search warrant before compelling tech companies to turn over customers’ emails, even if they’re more than 180 days old.
After joining Cisco in September 2015, Dennedy was brought in as a strategic partner in the company’s Security and Trust Organization, whose mission is to ensure trustworthy product development, secure solutions and corporate responsibility. Another key corporate initiative is what Dennedy calls Cisco’s “Values to Value campaign,” which seeks to treat customer PII and intellectual property data as a literal asset in terms of currency value and ethical impact, so that those who manage the data treat it more responsibly.
“Data and information and reasoned decision-making based on that information can and will be noted on corporate balance sheets one day,” Dennedy says. “At Cisco we accept that challenge and are working to create
Shari Steele, executive director, The Tor Project models and frameworks to manage these critical assets that fuel the Information Age.”
In the forward to the book she co-authored in 2014, The Privacy Engineer’s Manifesto, Dennedy wrote that even in an age where companies and governments collect a seemingly endless stream of data on people, an individual can still “be distinguished from a pile of metadata,” and that “the privacy engineer sees this horizon where privacy and security combine to create value as a similarly challenging and exciting time for exploration, innovation, and creation; not defeat.”
Indeed, she publicly decries the notion that privacy as we know it is dead; she merely believes it must be redefined for the digital age. “Privacy, in a functional sense, can be deemed the authorized processing of personally identifiable data, according to fair, moral, legal and ethical standards,” says Dennedy recently at the 2015 Identity Conference.
Dennedy is also the founder of The iDennedy Project, a consulting and advisory firm with a mission to bring privacy and security products to market. As well, prior to her stint at McAfee, she was VP for security and privacy solutions at Oracle, and before that she was chief privacy officer and chief governance officer at Sun Microsystems.
“I rarely have all the answers,” Dennedy acknowledged, “but I do love my job because I get to puzzle over these critical issues on a global scale while also trying to make a path for my two young daughters’ future digitized world.” – Bradley Barth
Renee Forney, deputy CIO of enterprise operations, Department of Energy; formerly executive director, CyberSkills Management Support Initiative (CMSI), U.S. Department of Homeland Security (DHS)
Just as we were going to press, we received word that Renee Forney had accepted a position at the Department of Energy as the deputy CIO of enterprise operations. She will be managing DOE’s enterprise cybersecurity program and advising the Department’s CIO and senior agency officials in the implementation of cybersecurity and the Department’s Risk Management Approach.
As well, she told us, she will provide executive leadership and guidance for joint agency and administration cybersecurity initiatives, including for the Comprehensive National Cybersecurity Initiative (which outlines U.S. cybersecurity goals and oversees several agencies, including the DHS, the Office of Management and Budget, and the National Security Agency); safeguarding of the Defense Industrial Base and critical infrastructure protection, and assistance to the Mission Executive Council in establishing cybersecurity research and development priorities to improve the national cybersecurity posture.
The posting reasserts her longstanding prominence as a figure in government initiatives to protect personal data.
Formerly executive director of the CyberSkills Management Support Initiative (CMSI) for the U.S. Department of Homeland Security (DHS), Forney supported the undersecretary for management (USM) for cybersecurity initiatives and managed a department-wide cybersecurity workforce. Her efforts there assisted in workforce analysis, recruitment, retention, training and pipeline development. As well, she fostered outreach with academic institutions to engage students – from middle school to graduate level – with opportunities in the cyber realm at the DHS.
With more than 20 years of private and public information technology and program management leadership experience, she formerly served as the deputy director for the Balanced Workforce Program Management Office and was the branch chief within the Business Intelligence Division for the General Services Administration (GSA), where she led the Presidential Transition Team web team which provided support to the transition team staffers.
In all these roles, Forney instituted programs and managed teams to provide management support to senior executive staff, increased collaboration and improved communications between business and information technology stakeholders.
With a shortage of qualified personnel, it’s a vibrant time for cyber professionals and Forney would like to see more enter government service. Recruitment efforts are increasing at every level and assembling the most efficient job description is key, she says.
Her vast and varied management experience certainly came into play following the breach of the Office of Personnel Management in June 2015. As a government employee, she knew to expect a letter notifying her that her personally identifiable information – contained in the SF-86 form she filled out in 2009 to obtain Top Secret clearance – had been exposed. So, she stepped up to the plate recognizing that the White House and Congress were increasingly relying on the DHS to protect the .gov domain. Calling the incursion the “grand slam of PII breaches,” she was instrumental in creating a workbook, the Cyber Management Support Initiative Push Button, to assist hiring managers and HR teams to better define job descriptions for cyber professionals.
Ensuring that cyber technical information accurately defines the position is essential in providing job seekers with the information they need to filter through qualifications, she said at the time. Also, it assists the HR team in assessing candidates. The tool, she said, can greatly streamline the traditional process. The DHS collaborated with OPM to test the tool with several different agencies and rollout to several other agencies are planned.
Forney also set out a number of steps the DHS could implement to improve federal cybersecurity. The task, she said, is to help reduce risk and better protect key government systems and networks from emerging cyber threats. First among her proposals was an increase of budget in FY 2017 to accelerate a program that can monitor federal networks in real time and deploy mitigation strategies quickly to remove the threat before significant harm can occur.
Further, she advocated for cross training IT staff so they can migrate to essential cyber jobs, and she urged that DHS renew the drive for fast-track acquisition capability in cyber programs justified as an imminent threat. – Greg Masters
Cindy Murphy, president and lead examiner, Gillware Digital Forensics; detective, Madison [Wis.] Police Department; SANS instructor
The importance of digital forensics certainly received a boost when the FBI demanded that Apple turn over encryption keys so it could recover data in an iPhone 5 left behind by the San Bernardino shooter.
Cindy Murphy is an early pioneer when it comes to the use of phone forensics in criminal cases. She spent three decades in law enforcement, 24 of those as a detective at the Madison Police Department in Wisconsin. For nearly two decades, she worked as a certified digital forensics examiner – at a time when the field evolved rapidly with the emergence of mobile devices as a key piece of evidence in investigations. On average, she would process digital evidence for between 250 and 300 cases a year – everything from shootings to homicides to child exploitation cases. Cellphones, she says, are mini-computers on which evidence can be found and prove vital in prosecutions.
In addition to her detective work, Cindy has been providing instruction in digital forensics since 2002. She helped developed curriculum for a certificate program at Madison Area Technical College and was guest faculty for the National District Attorney’s Association. She is a certified SANS instructor and co-authored and teaches an advanced mobile device forensics course for the SANS Institute.
Further, she has testified as a computer forensics expert in state and federal courts on a number of occasions and has presented on digital forensics topics all over the globe.
In a recent interview for the SANS Digital Forensics and Incident Response blog, Cindy says that the most exciting developments in digital forensics and incident response are in the mobile world. “As legacy mobile devices have become smarter, we now are living in a world where a good portion of people are connected to numerous networks with mobile devices. This presents both opportunities and challenges for us in terms of sources of evidence, and the balance between people’s rights to privacy and the investigator’s ability to leverage that data in an investigation.”
And she nurtures young talent along, encouraging students to enter STEM programs as plenty of jobs are waiting for them. Her involvement with the Girl Tech program at Madison Area Technical College, where she teaches STEM subjects to middle-school girls, is just one example.
“The DFIR field is only going to grow in the future,” she says. “We need curious, flexible and well-educated minds to push the profession and field in the various directions it needs to grow.”
Recently, she has taken her decades of experience and this last spring launched Gillware Digital Forensics, a new startup company spun off and separate from 12-year-old Gillware Data Recovery, where she serves as president and lead examiner.
She has known the crew at Gillware since 2006 and collaborated with them through private/public partnerships through the Wisconsin Association of Computer Crimes Investigators, as well as from getting their assistance from time to time to help with data recovery problems that arose while she was doing digital forensics as a detective with the Madison Police Department.
“After 30 years in law enforcement and 17 doing digital forensics, moving into an environment where there was the opportunity to do things that weren’t possible in my law enforcement lab – like Chip-Off and JTAG data extraction from phones and really deep research and development work – was extremely compelling,” she says. “I was used to finding ways to solve seemingly impossible problems with a really limited time and financial resources, and the thought of having access to the time, resources, equipment, experience, ingenuity and technical expertise of the Gillware team was extremely exciting.”
Problems that she couldn’t solve in the law enforcement lab environment, like forensics on severely damaged cell phones or dying hard drives, are now entirely possible to solve, she adds. “Here at Gillware, I’m working on standing up the digital forensics lab from the ground up – hardware, software, network design, specialty equipment, policies, procedures and quality assurance measures we use in the processing cases, training and education plans for our examiners and clients.”
She gets to participate in research and development and go out and talk to people in the field about the work the team is doing. “And I also get to do hands-on forensics and solve unique problems and puzzles, which I have always loved. And so far, a good deal of our work has come from law enforcement agencies, so I’m also feeling right at home.”
“Cindy is truly one of the best and the brightest in the digital forensics industry,” says Scott Holewinski, president of Gillware Data Recovery and co-founder and CEO of Gillware Digital Forensics. “Her experience over the course of her career and her leadership in the field will be extremely valuable to the growth of our organization.”
Away from her 12-hour days behind a desk, Cindy unwinds as a banjo player with the Hoot ‘n Annie String Band, a progressive folk/newgrass band that loves to “play songs that are fun to sing in harmony.” – Greg Masters
Natalie Silvanovich, Information Security Engineer, Project Zero, Google
Natalie Silvanovich is a person who practices what she preaches.
Silvanovich is a researcher at Google Project Zero by day who spends her time uncovering security flaws in mobile devices and software, but she may be even more famous for her pasttime, that being her love of and ability to hack small, electronic life forms – better known as Tamagotchis.
“Tamagotchis were always my favorite toy growing up, and my friends and I tried to predict their behavior by closely monitoring them and logging their every move,” Silvanovich says. “So when I started getting interested in hardware, it seemed like an opportunity to finally get answers to the questions I had. I didn’t know a lot about hardware hacking at the time, so I got some help from people at my hackerspace and in the hacking community.”
Natalie’s hobby dovetails perfectly with her advice to any woman, or man, looking to break into the security sector. That is to explore their interests by reading books and articles on security-related subjects, keep an eye on security discussions on social media and don’t be afraid to write exploits or find bugs on your own.
“Security is a broad field and many people with careers in security are self-taught, so it’s important to find areas that you’re interested in and learn more about them,” Silvanovich says.” I also recommend that people looking to enter the field spend time coding and contribute to open-source or hobby projects if they can. A strong understanding of how code and computers work is essential when working in security and is useful in a lot of other fields as well.”
Silvanovich, who grew up in Vancouver, Canada, and studied electrical engineering at the University of British Columbia, is also actively involved in hackerspaces a place where people share their interest in tinkering with technology and meet and work on their projects. As well, she is a founding member of Kwartzlab Makerspace in Kitchener, Ontario, Canada.
Silvanovich’s expertise is well recognized in the industry. She can be found quoted by dozens of news organizations, she is a prolific blogger for Google’s Project Zero and she speaks at conferences, including Black Hat, where last year she gave an in-depth talk on “Attacking ECMAScript Engines with Redefinition.”
Prior to her life at Google, Silvanovich was a security researcher with BlackBerry, where she was tasked with hacking the company’s flagship smartphone products and then used that information to help make the devices more secure.
To do such work well does require a particular mental mindset, Natalie notes. “Persistence and perseverance are important when doing vulnerability research in particular,” she says. “For every bug a researcher finds, they spend hours or days not finding any, so successful researchers are often the sort of person who enjoys spending a lot of time on a single project and aren’t easily discouraged. Curiosity is also important, as good research quite often starts out with someone being curious about exactly how something works and finding out.”
These traits, along with following her advice on having hobbies that coincide with her passion for hacking, is particularly useful right now as the manufacturer of the Tamagotchi has rolled out a hard-to-hack model.
“I am still working on Tamagotchi hacking, though the latest model has turned out to be more difficult to hack than I expected!” Natalie says. – Doug Olenick
Neema Singh Guliani, legislative counsel, American Civil Liberties Union
Neema Singh Guliani was a freshman in college at the time of the terror attacks of September 11, 2001. The tragedy and ensuing national discussion that she referred to in a blog as “the post-9/11 panic,” had a formative impact on her.
“I came to the realization that we had national security challenges, but that we had to really balance that with the importance of civil rights,” she says, speaking with SC.
For a while, Singh Guliani followed a well-established route common among advocacy-focused attorneys, initially working as a student attorney at a criminal justice institute and a human rights clinic while studying at Harvard Law School, then as a field organizer working on political campaigns, including Sen. Barack Obama’s 2008 presidential campaign. As well, she served as investigative counsel on the House Oversight and Government Reform Committee.
And then she did something unexpected: She took a job with the Department of Homeland Security. “I had an unconventional route,” she told SC. “I’m not somebody who believes that everyone is a bad actor, but I do believe that the lack of good policies and lack of oversight has led to some very bad consequences.”
Singh Guliani came away from her experience at DHS with a stronger sense of the difficulties of researching potential civil liberties violations. “In the national security context, one of the challenges is the information that you don’t have,” she says. “So you run into a wall, and get the facts that you can.”
She has been tireless in advocating for stronger civil liberty protections involving digital information, consistently calling attention to timely and precedent-setting issues, including the Justice Department’s proposed changes to Federal Rule of Criminal Procedure 41, James Comey’s argument that terrorists are “going dark,” FISA’s Section 702, the DHS’s revised Stingray policy, and – of course – the FBI’s request earlier this year that Apple help the agency access the iPhone of San Bernardino shooter Syed Rizwan Farook.
In speaking out about all these issues, she aims to consistently root her arguments in careful research. “When we sound an alarm and I say this is a Fourth Amendment problem, I want people to know that it’s really an issue. We’re not just throwing the Fourth Amendment around.”
In March, she participated on a panel in which the National Security Agency’s privacy and civil liberties director Rebecca Richards was questioned about Executive Order 12333, an order that governs the interception of phone, email and other communications by intelligence agencies. During the panel discussion, Singh Guliani says the executive order “appears to be more permissive” of intelligence agencies’ use of personal data.
The same month, she testified at a House committee hearing that discussed geolocation technology and privacy. “While privacy rights are often conceptualized as belonging to individuals, they are also important because they ensure a specifically calibrated balance between the power of individuals on the one hand and the state on the other,” she noted in her testimony. “When the sphere of life in which individuals enjoy privacy shrinks, the state becomes all the more powerful.” – Jeremy Seth Davis
Shari Steele, executive director, The Tor Project
Just out of law school, Shari Steele had only worked at a law firm for a couple of months when, she says, she “realized the normal practice of law was not what I wanted to do.”
But a seminar her first semester of law school – on the First Amendment – set her on a path that eventually led her to her current position as executive director at The Tor Project, where protecting free speech is tk.
“That seminar brought me in this weird way to security,” she says.
However, before she became fully immersed in privacy and security, she aspired to go back to school to get another law degree so she could teach. “On a whim,” she says, she interviewed for a position at the Electronic Frontier Foundation (EFF), the nonprofit founded in 1990 that has grown into a powerful voice in defense of digital civil liberties and an advocate of privacy and free expression.
Steele’s husband, a techie, “says that’s the coolest job ever” of the Widener University School of Law grad’s interview at EFF. She joined the grassroots organization as legal director, a position she held for eight years, advocating for civil liberties, including advising the U.S. Sentencing Commission on sentencing guidelines for both the Computer Fraud and Abuse Act and the No Electronic Theft Act. She also offered guidance on U.S. encryption policy for the National Research Council.
In a blog post penned last December, shortly after she became executive director of The Tor Project, Steele wrote that she’d been “part of the legal team that sued the government on behalf of mathematician Dan Bernstein to make the use of encryption legal for non-military purposes like privacy protection,” a case that eventually led to a court decision that established cryptographic source code as protected speech and “paved the way for individuals to use encryption to protect their private communications.”
It was that victory that eventually drew Roger Dingledine and Nick Matthewson, creators of The Onion Router (Tor), in 2004 to approach EFF for help finding funding. Steele went to the organization’s board, asking for a budget amendment so EFF could fund TOR itself. “I’ve always been immensely proud of the Tor Project,” she wrote of the effort which has gone from proof of concept to “the strongest most censorship-resistant privacy network” and has become “an essential part of the internet freedom structure.”
It’s fitting, then, that Steele now finds herself at the helm of that project, whose profile has been raised since Edward Snowden sounded the alarm on government surveillance three years ago. Those revelations brought privacy concerns to the doorsteps of the public. “I’ve definitely seen an uptick [in the interest] and I’m sure a lot of it had to do with Snowden,” she says. “He really shined a light on how much information is being gathered on people [and that] you can’t trust what they’re doing with it.”
“He spurred a lot of awareness,” she says.
As the profile of digital civil liberties rises, so does that of The Tor Project itself, making it more important for the organization to run smoothly. In that respect, Steele, who’s been on the job a little more than six months, has her work cut out for her. “Tor is a really interesting place to work,” she says. “They’ve built a technical critical infrastructure for information freedom but no support infrastructure” for the organization.
“They were doing important work with no support infrastructure, no organizational policy, or they got them from somewhere else,” she says, leaving her struggling “to keep the whole tower really erect and at the same time shore up the infrastructure.”
Steele is also charged with figuring out “how to manage a distributed workforce that is also an open source project.” She’s made mistakes, she says, and the organization has faced its challenges, most recently the resignation of activist and developer Jacob Appelbaum amid allegations of sexual misconduct.
But challenges offer Steele the opportunity for “tremendous growth, figuring out new things and how to do them.” When she finishes getting Tor’s house in order, “the organization will be more sustainable.” Failure is not an option when so much critically important work remains to be done.
Steele sees “a lot of opportunity in the information freedom field” for young women. While gender was not an issue for her – “I came into it as a lawyer, not a techie” – she noticed it has been for her employees and other people she’s worked with. “It has been difficult for a lot of women,” she says.
But it’s getting better and with hard work “you can do anything you want,” she says, repeating a lesson she learned from her own mother, who “was always working, which in her generation was much less common.”
Nonprofits have become more welcoming to women. “A few years ago, taking a look around at the people running nonprofits in the freedom space were men,” Steele says. “That’s not as true now. There are more women in the space [leading] and doing tech work.” – Teri Robinson
Chenxi Wang, chief strategy officer, Twistlock
Chenxi Wang has seemingly done it all when it comes to working in the information security field, having held positions ranging from industry analyst to professor to her current role as chief strategy officer at Twistlock, an end-to-end enterprise security solution that keeps container-based applications safe.
Wang was named to her current position in late August 2015, but Twistlock is only the latest in a long line of security positions she has held. These include being vice president for cloud security and strategy at CipherCloud, vice president for strategy and market intelligence at Intel Security, vice president at Forrester Research, along with being an associate professor at Carnegie Mellon University. Wang’s doctorate is in computer science from the University of Viriginia where her Ph.D. thesis received an ACM Samuel Alexander Award for excellence in research.
However, despite the level of success she has attained, Wang knows that women do not have it easy getting ahead in the traditionally male-centric information security industry. To help mitigate this problem Wang is active with several organizations designed to give other women a helping hand.
One of the projects she is involved in is being the co-chair (security & privacy track) of the Grace Hopper Conference 2016. The Grace Hopper Celebration of Women in Computing, organized by the Anita Borg Institute, is the world’s largest gathering of women technologists. By being involved in the Grace Hopper Conference Wang is following the advice she gives woman who are trying to work their way through the male-dominated information security field. This includes joining industry associations for networking purposes and finding a mentor, she says in an IT Security Planet interview.
She also created the Facebook group Equal Respect, which hosts personal and professional networking opportunities for women.
Being such a forceful person, along with Wang’s diverse professional background, is one of the reasons TwistLock was interested in bringing her on board.
“Dr. Wang brings a wealth of experience and strategic intellect that will help Twistlock leverage its early market leadership to establish a dominant long-term position in this space,” says Twistlock CEO Ben Bernstein.
When Wang isn’t at Twistlock she can be found as a speaker or moderating at a variety of industry events, including RSA and SANS. At these events she has helped ponder, with other industry experts, such questions as will a backdoor capability ever be a moral necessity, or at which point could it become a necessity?
Wang has a strong opinion on the topic and told The Los Angeles Times, “If Apple succeeds in fighting the court order, it will set up a high barrier for the FBI and the other government groups to access citizen data from now on. This will absolutely have a ripple effect. Apple is now viewed as the flag bearer for protecting citizen data, and if they succeed, there will be a flood of other companies following suit.” – Doug Olenick