The Professional Awards recognize the top cybersecurity leaders of 2020 –the people within the cybersecurity vendor community who drove innovation, cyber awareness and industry growth.
For 2021, we will now include the top cybersecurity vendor leaders within SC’s Excellence Awards and a new category of awards – Leadership Awards, formerly known as Reboot – will recognize innovative leadership in the end user community.
Here’s a look at which leaders and programs that took home the top honors in 2020 and why, and what some of the winning companies have experienced in the the months since the award presentation in February. Keep in mind, a number of these categories have been shifted to the Excellence Awards for 2021.
Best Cybersecurity Higher Education Program
Capitol Technology University
Capitol Technology University offers its students a bold guarantee: You will receive a job offer within 90 days of commencement, or the school will provide up to 36 additional undergraduate credits, tuition-free, while the search for employment continues.
There’s a reason the private South Laurel, Maryland, school is so confident: By the time they finish sophomore year, most undergraduate students at Capitol are already employable. Also, the university maintains close relationships with private-sector companies and the nearby Department of Defense, regularly tailoring its curriculum to suit these organizations’ needs.
Capitol offers BS, MS and DSc programs. Undergrads gain technical knowledge and basic skills in their first semester, and in their ensuing years earn certifications such as Security +, CEH, and Access Data Forensics. MS students are trained to lead teams of security professionals for cyber defense operations, research and analysis, and can develop specializations (e.g. cyberlaw, forensics and cryptography). And its doctoral program is designed to produce senior cybersecurity leaders who take on challenging careers in cybersecurity and academia.
Capitol offers an extensive variety of cyber lab projects, competitions and clubs. Lab areas include cyber, digital and mobile forensics, identity management, IoT vulnerability assessments, quantum computing and SOC analyst training.
A designated a CAE-CDE institution, Capitol was chosen in 2014 to provide Master’s-level courses to newly hired NSA security engineers as part of their development program prior to permanent assignment. Capitol has also been selected by over 20 Cyber Scholarship Program scholars over the past 10 years to earn their degrees in cybersecurity and then return to government service in critical cybersecurity positions.
In celebration of National Cyber Awareness Month this year, Capitol partnered with the National Security Agency and three other Maryland community colleges to create a cyber lecture series, titled “Cyber Challenges in the Pandemic.” The lectures will inform high school and college students on the importance of cyber security, hygiene, and preparedness.
|Capitol Technology University
|New York University
|NYU Cyber Fellows (NYU Cybersecruity MS) – New York University Tandon School of Engineering
|Red Rocks Community College
|Master of Science in Cybersecurity Technology – University of Maryland Global Campus
Best IT Security-related Training Program
Boasting 50 skill and certification learning paths, more than 400 individual courses and over 100 hands-on labs, Infosec’s brand-new IT security training program is designed to help security professionals stay sharp and fill in their knowledge gaps.
Launched in April 2019, Infosec Skills is mapped to the NICE Cybersecurity Workforce Framework, which includes entry, mid-level and advanced cybersecurity roles, backed by research into the actual skills that are requested by employers. With Infosec Skills and NICE, users have the roadmap necessary to identify what employers want and the tools needed to follow the career path of their choice. Infosec also added security awareness training modules this year geared for rank-and-file employees.
More than 2,200 students have signed on since inception, taking advantage of the program’s in-person and online courses, and its monthly and annual plans. Skill paths include: ethical hacking, computer incident response, mobile and computer forensics, web application pentesting and more, while certification paths include (ISC)2 CISSP, CompTIA Security+, Certified Computer Forensics Examiner, CISCO Certified Network Associate R&S and more.
Infosec’s 100-plus labs take place across seven cloud-based cyber ranges, offering skills in command line basics, Linux, networking, network traffic analysis, pentesting, SCADA systems and ISC/SCADA capture-the-flag-style pentesting.
Certification practice exams are also included in an education platform designed for flexibility. Students can study at any time on any device, where and when they learn best.
“I wear 50 different hats in my role and needed a compressed, to-the-point training course that would make sure I was ready for all the [certification] exam domains at a technical level,” said Julian Tang, CIO at Tennenbaum Capital Partners. “Infosec trains thousands of students… so I knew they’d be able to tell me what to expect on the exam and what topics to focus on most.”
|Mimecast nominated by LogMeIn
Best Professional Certification Program
Certified Information Security Manager (CISM)
ISACA celebrated its 50th anniversary in 2019, and now in 2020 it has a new reason to rejoice: Its Certified Information Security Manager (CISM) program has won Best Professional Certification Program at this year’s SC Awards.
The global association, which provides training and education to 140,000 members via 460,000 engaged practitioners, calls CISM the only management-level certification for infosec professionals.
Most security certifications measure professionals’ comprehension of the technologies and processes they use. But CISM distinguishes itself by also assessing their understanding of how their work supports their various organizations’ specific business goals.
Such knowledge can be critical for CISOs who must communicate ideas to leaders within the C-suite and at the board level. And the payoff is significant: According to ZipRecruiter data, the average annual pay of a CISM in the U.S., as of November 2020, is $137,058.
Earned by more than 42,000 professionals since its inception in 2002, a CISM certification requires five years of work experience, including a minimum of three years of information security management in several job practice analysis areas.
CISM is updated frequently to reflect the ever-changing job roles and responsibilities of security managers, and the fast-evolving threat landscape. Rigorous continuing education is necessary to maintain the certification.
Members can receive their training via ISACA’s Cybersecurity Nexus (CSX), which offers courses and real-world lab environments. ISACA has a presence in more than 188 countries, with over 220 chapters worldwide.
“I already had the technical skills in the cybersecurity space and could demonstrate that, but the CISM gave me the credibility to talk to the business about risk and policies,” said security professional Michelle Malcher, CISM. “The CISM provided me the step I needed to move to an architecture role.”
|Certified Information Systems Security Professional (CISSP)
|Cloud Security Alliance
|Certificate of Cloud Certificate Knowledge (CCSK)
|Certified Information Security Manager (CISM)
|Certified in Risk and Information Systems Control (CRISC)
|Offensive Security Certified Professional (OSCP)
Best Security Team
Penn Medicine Information Security
The health care industry has been under siege for the last several years as malicious actors try to exploit the myriad, and often older, connected systems found in a medical facility. For that reason, Penn Medicine, also known as the University of Pennsylvania Health System, has found itself on the very front lines when it comes to being targeted by cyberattackers. In fact, in response to the pandemic this year, Penn Medicine implemented new efforts to defeat COVID-related phishing attempts.
The environment protected by the Penn Medicine Information Security team is truly daunting. The 35-person-strong unit oversees the security of 50,000 employees spread across six hospitals and outpatient facilities. To handle this gargantuan task, Penn Medicine has more than tripled the number of cybersecurity personnel in the last two years, and during this time period has evolved its internal structure from one to five teams: Information Assurance, Security Engineering, Security Operations, Security Architecture and Office of the CISO (OCISO).
The high level of success achieved by Penn Medicine Information Security is due to the close relationship it maintains with corporate leaders and those on the medical side of the operation. This is accomplished by “taking security into the field” to work first-hand with the clinical and research communities, which helps bring them closer to the technology and policy decisions that help ensure data remains protected. This also helps create a culture where all staffers know that cybersecurity should be part of their daily conversation.
As any health worker knows, a body must remain strong to fight off an infection, so Penn Medicine Information Security has several programs in place to make sure its security workers are operating at their highest level. This includes certification training, bi-weekly training and the Penn Test Challenge, which uses gamification to improve diagnostic and mitigation skills.
|Penn Medicine Security Team
CSO of the Year
CISO, Hospital for Special Surgery
As the first CISO of the Hospital for Special Surgery (HSS) in New York, Vikrant Arora aims to attack cyber risk with surgical precision.
He maintains a strong focus on supporting digital innovation, raising organizational confidence in security, hiring quality talent, and laying the foundation for a multi-year security program that aligns with HHS’ mission. Arora also worked with his team to bolster supply chain security during the ongoing pandemic this year.
Edward Marx, CIO of the Cleveland Clinic, said Arora “has been first amongst peers to leverage machine learning and DevSecOps, while simultaneously developing solutions that addressed gaps in otherwise lax security standards.”
For instance, Arora implemented deep learning and behavioral-based authentication for privileged access, and also incorporated machine-learning-based malware detection on more than 6,000 endpoints. HHS assesses that Arora’s efforts have reduced the risk of unauthorized exposure of electronically protected health information by more than 80 percent in the public cloud and on-premises infrastructure.
A long-time advocate of addressing the security of connected medical devices, Arora envisions an ecosystem of security solutions fueled by data. He has implemented solutions that provide real-time visibility into all connected biomedical devices, enabling HSS to promptly identify ones that may be vulnerable to key threats and exploits.
Arora has also put in place a robust risk management framework at HSS, integrating security into business decisions, application development and the supply chain right from inception. Under Arora’s watch, HHS also implemented the DMARC email authentication protocol to prevent malicious actors from spoofing HSS’ email domain as a means to trick external users.
Additionally, Arora is collaborating with law enforcement, security vendors and other healthcare organizations on an Early Warning System that could potentially allow the health care industry to stay ahead of the curve in a volatile threat landscape.
|Vikrant Arora, CISO
|Hospital for Special Surgery
|Derrick A. Butts, Chief Information & Cybersecurity Officer
|Dan Costantino, CISO
|Janice Lim, DEO & CISO
|Los Angeles County Metropolitan Transportation Authority (Metro)
|John Masserini, CISO
Editor’s Choice AWARD
Global Cyber Alliance
When it comes to basic, yet fundamental, cybersecurity tools that can make the difference between a costly hack and business-as-usual, no organization should be relegated to “have-not” status. That’s why the Global Cyber Alliance, an international, multisector community of partners seeking to combat cyber risk, worked hard this past year to put free security toolkits in the hands of user organizations in need.
These toolkits can reduce cyber risk by as much as 85 percent, asserts the GCA, which was founded in 2015 by the City of London Police, the New York District Attorney’s Office and the Center for Internet Security.
Buoyed by a $1.068 million donation, the GCA in April 2019 launched the Craig Newmark Trustworthy Internet and Democracy Program to provide toolkits to news outlets, government functionaries, election officers and community organizations, in an effort to improve cybersecurity defenses as the 2020 U.S. election approaches.
The toolkits consist of easy-to-use operational tools, guidance and recommendations, helping ensure election integrity while protecting the media from attacks that could expose anonymous sources or manipulate public opinion. With the help of an additional $750,000 donation, the organization launched a second wave of the campaign in December 2019.
The election toolkit program is an offshoot of the Cybersecurity Toolkit for Small Business, which GCA launched last February in conjunction with Mastercard as a way to help SMBs –which often suffer from a lack of cyber resources – protect themselves, their customers and their partners.
“Our focus is on producing a dynamic clearinghouse of operational tools that help small and medium businesses address risk and improve their cybersecurity posture…” said Philip Reitinger, GCA president and CEO, when the program was first launched.
GCA reports that the small business toolkit has already been accessed more than 66,700 times, while the elections toolkit has been accessed more than 1,900 times.
The organization has also been pushing for more trustworthy Internet of Things devices, more secure emails via Domain-based Message Authentication & Conformance (DMARC), and safer Internet browsing through Domain Name System protections.
Last August, the group collaborated with partners to launch the Automated IoT Defense Ecosystem (AIDE), a development platform offering data collection, analysis and automated defense capabilities as a means to help users identify vulnerabilities and mitigate risks in IoT devices.
AIDE pools data from its own 1,200-node honeyfarm, as well as from other external organizations’ data feeds. The platform records an average 9.5 million attacks per day and, since inception, has collected more than 12 terabytes of attack data on IoT devices.
The platform also comes bundled with GCA ProxyPot, a custom IoT honeypot solution that can replicate an IoT device across multiple IP addresses and physical locations to help sniff out compromise attepmts. GCA intends to eventually open source this technology.
In a related effort, GCA has also entered into collaboration with Attivo Networks to build a SCADA honeyfarm to collect threat intelligence on attacks targeting industrial control systems.
Additionally, GCA has developed tools and services and advocated for policy changes that have enabled more than 7,300 companies and government agencies to deploy DMARC as a means to prevent e-mail spoofing and phishing.
According to the GCA, the Department of Homeland Security credited the Alliance with influencing its decision to issue a binding directive requiring U.S. government agency email domains to use DMARC. Later, the Department of Defense would follow suit.
In September, GCA completed its first DMARC Bootcamp, a tutorial experience designed to acquaint user organizations with the protocol and guide them through implementation. It was attended by more than 1,800 registrants from 55 countries and 40 industries.
Later, in November, the GCA released its DMARC Leaderboard, an interactive tool through which users can measure and quantify DMARC deployment. The Leaderboard can rank DMARC usage by country, industry and DMARC policy level, providing intelligence on tens of millions of email domains.
Additionally, in collaboration with IBM and Packet Clearing House, the GCA spearheaded the creation of Quad9, a free domain name protection service designed to stop consumers from accessing websites known to be infected with malware or associated with phishing campaigns. Launched in November 2017, Quad9 resolves billions of queries and blocks at least 10 million malicious events per day.