Alessandro Acquisti is an Assistant Professor of Information Technology and Public Policy at the H. John Heinz III School of Public Policy and Management, Carnegie Mellon University, a partner at Carnegie Mellon Cylab, and a Research Fellow at the Institute for the Study of Labor (IZA). His work investigates the economic and social impact of IT, and in particular the interaction and interconnection of human and artificial agents in highly networked information economies. His current research focuses primarily on the economics of privacy and information security, but also on the economics of computers and AI, agents economics, computational economics, ecommerce, cryptography, anonymity, and electronic voting. His research in these areas has been disseminated through journals, book chapters, and leading international conferences.
Prior to joining CMU Faculty, Alessandro Acquisti researched at the Xerox PARC labs in Palo Alto, CA, with Bernardo Huberman and the Internet Ecologies Group; at JP Morgan London, Emerging Markets Research, with Arnab Das; and for two years at RIACS, NASA Ames Research Center, in Mountain View, CA, with Maarten Sierhuis and Bill Clancey. At RIACS, he worked on agent-based simulations of human-robot interaction onboard the International Space Station. In 2000 he co-founded PGuardian Technologies, Inc., a provider of Internet security and privacy services, for which he designed two currently pending patents.
Alessandro has received national and international awards, including the 2005 PET Award for Outstanding Research in Privacy Enhancing Technologies and the 2005 IBM Best Academic Privacy Faculty Award. He is member of the program committees of various international conferences and workshops, including ACM EC 06, PET 06, WEIS 06, ETRICS 06, WPES 05, LOCA 05, QoP 05, and the Ubicomp Privacy workshop at Ubicomp 2005.
In a previous life, Alessandro worked as classical music producer and label manager (PPMusic.com), arranger, lyrics writer (BMG Ariola/Universal), and soundtrack composer for theatre, television (RAI National Television), and indy cinema productions.
Alessandro Acquisti has lived and studied in Rome (Laurea, Economics, University of Rome), Dublin (M.Litt., Economics, Trinity College), London (M.Sc., Econometrics and Mathematical Economics, LSE), and in the San Francisco bay area, where he worked with John Chuang, Doug Tygar, and Hal Varian and received a Master and a Ph.D. in Information Management and Systems from the University of California at Berkeley.Podcasts Featuring Alessandro Acquisti: Privacy: The Slow Tipping Point
Christopher Alberts is a senior member of the technical staff in the Acquisition Support Program at the Software Engineering Institute, Carnegie Mellon University. He is currently developing methods for managing systemic risk during the development and operation of software-intensive systems and systems of systems. Prior to this work, he co-developed the OCTAVE® approach for managing information security risks and the Continuous Risk Management methodology for managing software development project risks. He has co-authored two books, Managing Information Security Risks: The OCTAVESM Approach (Addison-Wesley 2002) and the Continuous Risk Management Guidebook (Software Engineering Institute 1996).Podcasts Featuring Christopher Alberts: Rethinking Risk Management | Assuring Mission Success in Complex Environments
Dennis Allen is a member of the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. As the Cyber Workforce Development Training Team Lead, Dennis guides an outstanding group of information security experts in the development and implementation of cyber training programs for several governmental customers. Dennis has over 18 years of information technology experience working with many small private businesses and Fortune 500 corporations. As a U.S Army Reservist for 14 years, he participated or led multiple cyber defense exercises and information assurance training missions. Dennis's current professional certifications include CISSP, CEH, Security+, and NSA IAM. He holds a Bachelor of Science degree in Computer Science from St. John Fisher College (Rochester, NY) and a Master of Science in Information Assurance from Norwich University (Northfield, VT). Active memberships include the Rochester ISSA Chapter, ACM, and (ISC)2.Podcasts featuring Dennis Allen: How to Become a Cyber Warrior
Julia Allen is a senior researcher within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Allen’s areas of interest include operational resilience, software security and assurance, and measurement and analysis.
Prior to this technical assignment, Allen served as acting director of the SEI for an interim period of six months as well as deputy director/chief operating officer for three years. Her degrees include a B.Sci. in Computer Science (University of Michigan) and an MS in Electrical Engineering (University of Southern California).
Allen is the author of The CERT Guide to System and Network Security Practices (Addison-Wesley 2001) and moderator for the CERT Podcast Series: Security for Business Leaders. She is a co-author of Software Security Engineering: A Guide for Project Managers (Addison-Wesley 2008) and CERT Resilience Management Model (RMM): A Maturity Model for Managing Operational Resilience (Addison-Wesley 2010).
Podcasts featuring Julia Allen: Compliance vs. Buy-in | Why Leaders Should Care About Security | Getting Real About Security Governance | Information Security Governance and Nuts and Bolts for an Information Security Program (Q-CERT podcasts) | Building More Secure Software | Measuring Operational Resilience
Jennifer Bayuk is an independent consultant on topics of information confidentiality, integrity, and availability. She is engaged in a wide variety of industries with projects ranging from oversight policy and metrics to technical architecture and requirements.
Jennifer has a wide variety of experience in virtually every aspect of the Information Security. She was a Chief Information Security Officer, a Security Architect, a Manager of Information Systems Internal Audit, a Big 4 Security Principal Consultant and Auditor, and a Security Software Engineer.
Jennifer frequently publishes on information security and audit topics and has lectured for organizations that include ISACA, NIST, and CSI. She is certified in Information Systems Security (CISA), Information Security Management (CISM), and IT Governance (CGEIT) and has Masters Degrees in Computer Science and Philosophy. She can be reached at www.bayuk.com.
Podcasts Featuring Jennifer Bayuk: Concrete Steps for Implementing an Information Security Program
Sean R. Beggs is the Director of the Master of Information Systems Management (MISM) and the Master of Science in Information Security Policy and Management (MSISPM) programs at the H. John Heinz III School of Public Policy and Management, Carnegie Mellon University.
Sean has held positions in information technology at Carnegie Mellon for the past eight years, including Computer Support Manager and Support Specialist. In addition, he has taught IT courses for a local technical college. Prior to working at Carnegie Mellon, Sean conducted neuropsychological testing at the University of Pittsburgh and worked as a jet engine mechanic for the United States Air Force.
Sean received his MS in information technology from Carnegie Mellon University and his BS in psychology from the University of Pittsburgh.
Podcasts Featuring Sean Beggs: What Business Leaders Can Expect from Security Degree Programs
William C. Boni has spent his entire professional career as an information protection specialist and has assisted major organization's in both the public and private sectors. For 30 years, beginning as a Special Agent in U.S. Army Counter-intelligence, Bill has helped a variety of organizations design and implement cost-effective programs to protect both tangible and intangible assets. He has pioneered the innovative application of technologies including computer forensics, intrusion detection and others, to deal with incidents directed against electronic business systems.
Boni is the Corporate Vice President and Chief Information Security Officer of Motorola Information Protection Services. He is responsible for the company's overall program to protect critical digital proprietary information, intellectual property and trade secrets. He also directs the people, processes and technology programs that safeguard the company's global network, computer systems and electronic business initiatives.
Boni is Vice President and Board member of the global Information Systems Audit and Control Association (ISACA) and Chairs the IT Governance Institute which is the developers of the COBIT (Control Objectives for IT) governance and management framework.
Podcasts Featuring Bill Boni: Dual Perspectives: A CIO's and CISO's Take on Security
Matthew Butkovic is an Information and Infrastructure Analyst within the Resilient Enterprise Management Team of the CERT Program at Carnegie Mellon University's Software Engineering Institute. As a member of the team he performs information and critical infrastructure protection research and develops methods, tools, and techniques for resilient enterprise management.
Butkovic has more than 15 years of managerial and technical experience in information technology (particularly information systems security, process design and audit) across the banking and manufacturing sectors. Prior to joining CERT in 2010, Butkovic was leading information security and business continuity efforts for a Fortune 500 manufacturing organization. He holds a BA from the University of Pittsburgh. Butkovic is a Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).Podcasts Featuring Matthew Butkovic: Conducting Cyber Exercises at the National Level | Considering Security and Privacy in the Move to Electronic Health Records
Dawn Cappelli is Senior Member of the Technical Staff in CERT at Carnegie Mellon University's Software Engineering Institute (SEI). She has over 25 years experience in software engineering, including programming, technical project management, information security, and research. She is technical lead of CERTs insider threat research, including the Insider Threat Study conducted jointly by the U.S. Secret Service and CERT. Other current work includes modeling and simulation projects for risk analysis and communication of impacts of policy decisions, technical security measures, psychological issues, and organizational culture on insider threat. Ms. Cappelli is also adjunct professor in Carnegie Mellon's Heinz College of Public Policy and Management. Ms. Cappelli has been with Carnegie Mellon since 1988. Before joining CERT in 2001, Ms. Cappelli was Director of Engineering for the Information Technology Development Center of Carnegie Mellon Research Institute, led special projects for the universitys Computing Services, and worked on projects for the Software Engineering Institutes Information Technology team. Before joining the SEI in 1988, Ms. Cappelli was Software Engineer for Westinghouse Electric Corporation, developing nuclear power plant systems.Podcasts Featuring Dawn Cappelli: Protecting Against Insider Threat | Insider Threat and the Software Development Life Cycle | Mitigating Insider Threat: New and Improved Practices
Richard Caralli is a senior member of the technical staff on the Survivable Enterprise Management team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Caralli is currently the team leader for developing and delivering methods, tools, and techniques for enterprise security and resiliency management. His work includes the exploration and development of process-oriented approaches to security management.
Before joining the SEI, Caralli was responsible for developing the information security assessment and risk management capabilities of the CyberSecurity Center at Carnegie Mellon Research Institute. In addition, Caralli has over 25 years experience in information technology (particularly systems analysis and information systems audit and security) in Fortune 1000 companies covering banking and finance, steel production, light manufacturing, and energy industries.
Caralli holds a BS degree in Accounting from St. Vincent College and an MBA with a concentration in Information Technology from the John F. Donahue Graduate School of Business at Duquesne University. He has previously been on the Adjunct Faculty at Community College of Allegheny County and is a frequent lecturer in Carnegie Mellon's Heinz College of Public Policy and Management and the CIO Institutes Executive Education programs.Podcasts Featuring Rich Caralli: Adapting to Changing Risk Environments: Operational Resilience | How Resilient Is My Organization?
Jeffrey J. Carpenter has 25 years of experience in information technology and security as a technical practitioner, team leader, and manager. He is the technical manager of the CERT Coordination Center (CERT/CC), part of the CERT Program at Carnegie Mellon University’s Software Engineering Institute.
During his tenure as manager, Carpenter led the team that created, and still operates, the Department of Homeland Security's (DHS) National Cyber Alert System (NCAS). He oversaw the creation of successful programs in malicious code analysis, secure coding, and vulnerability discovery, and he has assisted numerous countries in the creation of national computer security incident response teams (CSIRTs). Carpenter has supported international CSIRT outreach and, in 2006, founded an annual workshop for the technical staff of all national CSIRTs.
Before joining the CERT/CC, Carpenter was a systems analyst/team leader for the University of Pittsburgh. In that role, he was responsible for many of the UNIX-based services provided by the computer center and was one of the architects of its distributed UNIX environment.
Podcasts Featuring Jeff Carpenter: Tackling Security at the National Level: A Resource for Leaders | Establishing a National Computer Security Incident Response Team (CSIRT)
Jim Cebula is a Member of the Technical Staff on the Resilient Enterprise Management (REM) team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Jim's current work focuses on risk management and information resilience, critical infrastructure resilience assessment, and cloud computing.
Jim joined CERT in 2009 after spending nearly 15 years in project management, IT, and security roles with Bechtel Corporation, most recently as a cyber security manager. He is a Certified Information Systems Security Professional (CISSP) and is a member of IEEE, ACM, and InfraGard.Podcasts Featuring Jim Cebula: Integrated, Enterprise-Wide Risk Management: NIST 800-39 and CERT-RMM
Pravir Chandra is director of strategic services at Fortify where he works with clients to build and optimize software security assurance programs. Pravir is widely recognized in the industry for his expertise in software security and code analysis, and also for his ability to apply technical knowledge strategically from a business perspective. Prior to Fortify, he was affiliated with Cigital as a principal consultant, where he led large software security programs at Fortune 500 companies. Pravir was also co-founder and chief security architect at Secure Software, Inc. before the company was acquired by Fortify Software. His book, Network Security with OpenSSL, is a popular reference on protecting software applications through cryptography and secure communications. His varied special project experience includes creating and leading the Open Software Assurance Maturity Model (OpenSAMM) project with the Open Web Application Security Project (OWASP) Foundation. Also, Pravir currently serves as a member of the OWASP Global Projects Committee.Podcasts Featuring Pravir Chandra: The Role of the CISO in Developing More Secure Software
With 35 years of experience in a wide variety of software, systems engineering and management positions, Robert N. Charette is an internationally acknowledged authority and pioneer in connecting business to technical risk management as well as in the development and management of very large-scale software-intensive commercial, civil government and defense systems.
Charette is the President of the ITABHI Corporation, an international high technology company located in Spotsylvania, VA involved in enterprise risk management consulting. He is also a Fellow and director of the Enterprise Risk Management and Governance practice for the Cutter Consortium, an IT research information company located in Boston, MA.
Charette is the author of several foundational books and dozens of articles on technical and business management. He is currently on the editorial board of Software Quality Professional, a contributing editor to IEEE Spectrum and contributing writer to Government Executive and Information Management magazines.
Podcasts Featuring Robert Charette: Is There Value in Identifying Software Security "Never Events?" | Electronic Health Records: Challenges for Patient Privacy and Security
Brian Chess is a founder of Fortify Software and serves as Fortify’s Chief Scientist, where his work focuses on practical methods for creating secure systems. His book, Secure Programming with Static Analysis, shows how static source code analysis is an indispensable tool for getting security right. Brian holds a Ph.D. in computer engineering from the University of California at Santa Cruz, where he studied the application of static analysis to the problem of finding security-relevant defects in source code. Before settling on security, Brian spent a decade in Silicon Valley working at huge companies and small startups. He has done research on a broad set of topics, ranging from integrated circuit design all the way to delivering software as a service.Podcasts Featuring Brian Chess: An Alternative to Risk Management for Information and Software Security | An Experienced-Based Maturity Model for Software Security
The use of information technology ("IT") is becoming increasingly regulated, and new technologies lead to new legal risks. John R. Christiansen, an attorney with deep experience in this field, founded Christiansen IT Law to help organizations recognize, understand and manage their IT risks, and minimize their IT-related exposures while maximizing the real benefits of using IT.
John began practicing law in 1985 and began working on IT law issues in the early 1990s. John is a nationally recognized expert on legal issues related to IT management, privacy and security. He publishes and speaks frequently on IT issues, and is active in leadership roles in national and regional professional associations and industry groups. Christiansen IT Law is small, nimble and knowledgeable. Low overhead keeps costs manageable and predictable, and a flexible, personal approach ensures that services match real client needs. Generally, legal services which are available include but are not limited to:
- Regulatory compliance and risk management under HIPAA, Gramm-Leach- Bliley, and other federal and state laws.
- IT risk identification and management strategies and tactics, including working with technical consultants on risk assessments, support of risk mitigation projects, counsel on risk transfer and risk acceptance.
- Data sharing and system networking using electronic medical and health records (“EMRs” and “EHRs”), regional health information organizations (“RHIOs”), and the national health information infrastructure (“NHII”)
- IT-related dispute resolution services and support, including civil and criminal investigations and proceedings.
- IT contracting services, including technology acquisition and strategic partnering due diligence, contract negotiation and preparation, and contract management.
Podcasts Featuring John Christiansen: Leveraging Security Policies and Procedures for Electronic Evidence Discovery
Roland Cloutier is Vice President and Chief Security Officer for EMC Corporation. Roland leads EMC's Global Security & Business Protection Programs and has functional and operational responsibility for EMC's information & cyber security, business risk, crisis management, and corporate protection operations worldwide.
Previously, he held executive positions with several consulting and managed security services firms, specializing in critical infrastructure protection including EDS, Paradigm, and ANS. He is a former federal law enforcement officer holding investigative and international field operation positions with the USDVA and the DoD, and is also a former Air Force Protection Specialist, having served in the Persian Gulf War specializing in International Aerospace Protection. Roland is a member of the High Tech Crime Investigations Association, the State Department Partnership for Critical Infrastructure Security, and the FBI's Infraguard Program. He also serves as a member of Security for Business Innovation Council, the Center for Information Policy Leadership, and as an advisor to the Board for Vigilant Corporation.Podcasts Featuring Roland Cloutier: Security: A Key Enabler of Business Innovation
Brian Contos has over a decade of real-world security engineering and management expertise developed in some of the most sensitive and mission-critical environments in the world. As ArcSight's CSO he advises government organizations and Global 1000s on security strategy related to Security Information and Event Management (SIEM) solutions while being an evangelist for the security space. He has delivered security-related presentations, white papers, webcasts, podcasts and most recently co-authored a book titled Physical and Logical Security Convergence. In 2006 he authored a book on insider threats titled - Enemy at the Water Cooler. He frequently appears in media outlets including: Forbes, The London Times, Computerworld, SC Magazine, InfoSecurity Magazine, ITDefense Magazine and the Sarbanes-Oxley Compliance Journal.
Mr. Contos has held management and engineering positions at Riptech, Lucent Bell Labs, Compaq Computers and the Defense Information Systems Agency (DISA). He has worked throughout North and South America, Western Europe, and Asia and holds a B.S. from the University of Arizona in addition to a number of industry and vendor certifications.Podcasts Featuring Brian Contos: Convergence: Integrating Physical and IT Security
Gregory Crabb is Inspector in Charge of Revenue, Product, and Global Security for the U.S. Postal Inspection Service. Greg manages a number of programmatic efforts for the Postal Inspection Service, including the investigation of cybercrime and revenue fraud. He also guides the development of secure U.S. Postal Service products. Greg leads Global Security for the Postal Service, including both global law enforcement liaison and security controls through forums such as Interpol and the Universal Postal Union.
Podcasts Featuring Greg Crabb: US Postal Inspection Service Use of the CERT Resilience Management Model
William P. Crowell is an Independent Consultant specializing in Information Technology, Security and Intelligence Systems. He also is a director and Chairman of Broadware Technologies, a video surveillance software company, a director of ArcSight, Inc., an enterprise security management software company, a director of Narus, a software company specializing in IP telecommunications Infrastructure software, a director at Ounce Labs, a software company specializing in source code vulnerability assessment tools and a director of RVison, a video surveillance technology company. In July 2003 he was appointed to the Unisys Corporate Security Advisory Board (now the Security Leadership Institute) to address emerging security issues and best practices. In September 2003 he joined the Advisory Board at ChoicePoint, a data aggregation company.
Crowell is an expert on network and information security issues. He has been quoted in many trade and business publications including the Wall Street Journal, BusinessWeek, USA Today, Information Week, Network World, Computer World, Federal Computer Week, CIO Magazine and the San Jose Mercury News. Crowell has also appeared on CBS MarketWatch, CNET News, CNBC and KNTV's Silicon Valley Business. He was the technical advisor to the TV series, "Threat Matrix" during its run on ABC in the 2003 season.Podcasts Featuring William Crowell: Convergence: Integrating Physical and IT Security
Pamela Curtis is a Senior Researcher on the Resilient Enterprise Management Team in the CERT Program at the Software Engineering Institute. Curtis conducts analytical studies and investigations and develops models and assessments related to improving and measuring operational resilience. She has over 25 years of experience in the information technology domain as a systems analyst, programmer, process improvement team leader, technical communicator, and manager. Curtis holds a BA with a concentration in Management from Simmons College and an MS in Management Information Systems from Boston University.
Podcasts featuring Pamela Curtis: Measuring Operational Resilience
Director of Corporate Business Continuity
Gary Daniels is the Director of the Corporate Business Continuity program at Marshall & Ilsley Corporation. His primary responsibilities are to ensure that M&I Corporation and its affiliates have sound disaster recovery plans for each of its 400+ facilities. In addition, Gary is responsible for M&I's vendor management program, operational risk, and compliance review programs within M&I Support Services.
Gary has over 21 years of experience in the financial services industry including quality assurance, problem management, business continuity, and is a certified disaster recovery planner. He served on the Security Board of Chicago, the Southeast Wisconsin Homeland Security Partnership, and is a member of the Financial Services Technology Consortium group. He has also worked with some of the top 25 banks building a resiliency maturity model for financial institutions and is chairman of the Resiliency Model's Taxonomy/Glossary committee. Before transferring to M&I, Gary developed the Metavante recovery program and has worked with many Metavante clients as well as internal M&I business units assisting with business continuity planning and preparedness.
Podcasts Featuring Gary Daniels: Ensuring Continuity of Operations When Business Is Disrupted
Mary Ann Davidson is the Chief Security Officer at Oracle Corporation, responsible for Oracle product security, as well as security evaluations, assessments and incident handling. She represents Oracle on the Board of Directors of the Information Technology Information Security Analysis Center (IT-ISAC), is a member of the Global Chief Security Officer Council and the editorial advisory board of SC Magazine. She was recently named one of Information SecurityMagazine's top five "Women of Vision" and is 2004 Fed100 award recipient from Federal Computer Week. She has served on the Defense Science Board and has recently been named to the Center for Strategic and International Studies Cyber Commission.
Ms. Davidson has a B.S.M.E. from the University of Virginia and a M.B.A. from the Wharton School of the University of Pennsylvania. She has also served as a commissioned officer in the U.S. Navy Civil Engineer Corps, during which she was awarded the Navy Achievement Medal.Podcasts Featuring Mary Ann Davidson: Developing Secure Software: Universities as Supply Chain Partners
Will Dormann has been a software vulnerability analyst with Carnegie Mellon Software Engineering Institute's CERT Coordination Center (CERT/CC) since 2004. His focus area includes web browser technologies, ActiveX, and fuzzing. Will has discovered thousands of vulnerabilities through the use of fuzzing tools and other techniques.Podcasts Featuring Will Dormann: The Power of Fuzz Testing to Reduce Security Vulnerabilities
Chad Dougherty is the team leader for the Vulnerability Analysis Team in the CERT Coordination Center (CERT/CC). He works with vendors and researchers to identify and mitigate new vulnerabilities in software before it is deployed, and also remediate vulnerabilities in already-deployed software.Podcasts Featuring Chad Dougherty: Protect Your Business from Money Mules
Before joining CERT/CC in 2000, he was a systems and network engineer at the University of Pittsburgh Medical Center (UPMC) and the search engine company Lycos, Inc.
Scott Dynes is a Senior Research Fellow and Project Manager at the Center for Digital Strategies at the Tuck School of Business at Dartmouth College, Hanover, New Hampshire. His research interests include understanding how firms identify and manage the risks they face as a result of using the information infrastructure to enable business strategies and run business operations. He also studies critical infrastructure protection and the impact of government policy in managing the risk resulting from cyber events. Dynes holds a Ph.D. in physics from MIT.
Podcasts Featuring Scott Dynes: Business Resilience: A More Compelling Argument for Information Security
Inadvertent Data Disclosure on Peer-to-Peer Networks
Sid Faber is a member of the technical staff within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. As a member of the Network Situational Awareness (NetSA) analysis team, Faber supports sponsors by providing detailed reports of current and historical network activities. His current areas of interest include fusing massive network data sets, enabling analysts with tools and methods necessary to defend large networks, using large-scale DNS monitoring to detect malicious behavior, and designing closed networks for improved security.
Faber also serves as an adjunct faculty member at the Carnegie Mellon University Heinz College of Information Systems & Management and at the University of Pittsburgh, School of Information Sciences.
Prior to joining the SEI, Faber worked as a security architect with Federated Investors, one of the largest investment managers in the United States. His experience includes more than fifteen years in software application security, development, and evaluation, and five years in the U.S. Navy Nuclear Power Officer program.
Podcasts Featuring Sid Faber: Using Network Flow Data to Profile Your Network and Reduce Vulnerabilities
Dr. Lori Flynn is an Insider Threat Researcher at the CERT® Insider Threat Center at the Software Engineering institute (SEI), a unit of Carnegie Mellon University. In this role, her information security research focuses on prevention, detection, and response to intentional or unintentional threats posed by organizational insiders. Dr. Flynn is a coauthor of CERT's "Common Sense Guide to Mitigating Insider Threats: 4th Edition." Her current projects include pattern analysis, metrics, and assessment techniques development. Lori's research experience includes secure mobile routing protocols, polymorphic program signature creation via static analysis, and prototyping software and networked systems.
Podcasts Featuring Lori Flynn: Mitigating Insider Threat - New and Improved Practices Fourth Edition
Jonathan Frederick is a member of CERT's Workforce Development Team. CERT is a program at the Software Engineering Institute, a unit of Carnegie Mellon University in Pittsburgh, PA. Jonathan researches information security subject areas and develops courseware, technical demonstrations, and exercises for U.S. Government agencies to include the Department of Defense (DoD), the National Security Agency, and the Department of Homeland Security.
Prior to joining the SEI, Jonathan worked for the Defense Information Systems Agency creating policies, procedures, and documentation for deploying the Host Based Security System across the DoD. He also worked as a network administrator for the U.S. Air Force National Guard of which he is still a member of today.
Jonathan received his bachelor's in Information Systems and Technology from The Pennsylvania State University and a master's in the Management of Information Systems from Robert Morris University. He is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Auditor (CISA), and a Project Management Professional (PMP).
Podcasts Featuring Johnathan Frederick: Mobile Device Security: Threats, Risks, and Actions to Take
Pamela Fusco has accumulated over 20 years of substantial experience as an Information Security and Risk Management Professional. She has held positions as the Chief Security Officer for Merck & Co., Inc., Digex Inc, and MCI Security Solutions, and as Executive Vice President, Global Information Security, at Citigroup. She is currently Executive Director for Security Solutions at FishNet Security.
Fusco is certificated and accredited as a CISSP, CISM, CHS Level III, National Security Agency INFOSEC Assessment Methodology Auditor (AIM Auditor), National Cryptologic School Adjunct Faculty Certified Instructor (NSA/CSS/NCS), and has a MS in Information Management.Podcasts Featuring Pamela Fusco: Real-World Security for Business Leaders
Derek Gabbard brings over 12 years of voice and data networking and network security experience to his Co-founder and Technology Director role at Lookingglass. He is responsible for delivering products and services to Lookingglass’ customers, across the commercial, federal civilian agency, and defense department communities.
Prior to Lookingglass, Gabbard was Chief Technology Officer at Soteria Network Technologies. Gabbard also served as Senior Member of the Technical Staff at the world-renowned CERT® at Carnegie Mellon University. He was responsible for the development and delivery of information assurance and security curriculum. He developed courseware in cryptography, secure remote access methods, firewalls, intrusion detection systems and securing network infrastructure. In addition, Gabbard worked as a manager at Arbor Networks, the industry leader in behavioral analysis and DDoS detection and mitigation, where he was responsible for training development of products and technology aimed at large enterprises and Internet Service Providers.
Gabbard is a 1995 graduate of the United States Air Force Academy.Podcasts Featuring Derek Gabbard: Analyzing Internet Traffic for Better Cyber Situational Awareness
Brian Gallagher is the Director of the SEI's Acquisition Support Program. He builds teams from across the Software Engineering Institute to support the needs of DoD and other government acquisition programs. Brian was previously employed with the Aerospace Corporation where he worked as a software acquisition and engineering advisor for several Air Force and NRO projects. During his Air Force career, he was the Deputy, Software Engineering with an Air Intelligence Agency remote site, Chief Engineer on the Range Operations Control Center Project at Cape Canaveral AFS, FL, a Software Project Manager for the Titan IV Program Office, and a Software En-gineer with Strategic Air Command. He received his B.S. in MIS from Peru State College, and M.S. in CS/Software Engineering from Florida Institute of Technology.Podcasts Featuring Brian Gallagher: Becoming a Smart Buyer of Software
As Corporate Privacy and Ethics Officer for Verispan, LLC, in Yardley, PA, Scot oversees enterprise-wide data protection and security. He is responsible for setting policy, employee and manager training, client awareness, privacy impact assessments, audit, and incident response management. Scot is responsible for Verispan's annual HIPAA privacy certification and serves as the leader for the Verispan Privacy Board, which is chartered to review all strategic plans and product development for privacy compliance. Scot also serves as the company Ethics Officer, responsible for all Code of Conduct-related operations.
Scot has worked in the healthcare industry for 11 years. Scot received his Bachelor of Arts degree from Baylor University in Waco, Texas, and also holds the Certified Information Privacy Professional certification from the International Association of Privacy Professionals (IAPP). Scot is an active member of the CyLab Privacy Interest Group at Carnegie Mellon University, the Carolina Privacy Official Network and the Council on Data Protection at Quintiles Transnational Corporation.Podcasts Featuring Scot Ganow: The Value of De-Identified Personal Data
Jeff Gennari is a member of the Malicious Code Team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. In this role, Jeff is tasked with analyzing malware and developing tools and techniques to advance the state of malware analysis. Jeff's experience includes reverse engineering over 100 samples of malware to support the missions of sponsors and collaborators. Notable accomplishments include serving as an expert witness in U.S. federal court in the area of malware analysis, routinely presenting CERT materials at conferences, and training computer security professionals.
In the past, Jeff worked as a vulnerability analyst at CERT where he researched and documented software vulnerabilities and was a researcher at the University of Pittsburgh studying human-robot interfaces. Jeff is currently completing a Master of Software Engineering at Carnegie Mellon University. He holds a BS and MS in Information Science from the University of Pittsburgh.
Podcasts Featuring Jeff Gennari: Building a Malware Analysis Capability
John Haller is an information and infrastructure security analyst with the Resilient Enterprise Management team in the CERT Program at the Software Engineering Institute, Carnegie Mellon University.
Prior to joining CERT, John served as a Special Agent for the United States Postal Service Office of the Inspector General. John also worked for the U.S. Postal Inspection Service, researching online criminal behavior, conducting internet-based investigations, and supporting the development of information systems-based products internationally.
A U.S. Army veteran, John is a member of the Pennsylvania bar. He obtained his J.D. and Master of Public and International Affairs from the University of Pittsburgh.Podcasts Featuring John Haller: Establishing a National Computer Security Incident Response Team (CSIRT) | Public-Private Partnerships: Essential for National Cyber Security
Michael Hanley is a member of the technical staff in the CERT Program, part of the Software Engineering Institute at Carnegie Mellon University. His research interests include insider threats, security metrics, digital forensics, and network security. Prior to joining the SEI, Michael was a technical leader for a remote system administration team working in a large manufacturing IT environment. During his tenure there, Michael was involved in testing and deploying new software, managing incidents, and supporting systems across the globe. He holds an MSc in Information Security Policy and Management from Carnegie Mellon University and a BA in Economics from Michigan State University.Podcasts Featuring Michael Hanley: Indicators and Controls for Mitigating Insider Threat
As a Director of Trustworthy Computing Strategy & Risk Management for Microsoft, Kim Hargraves is responsible for the strategy and risk management program supporting such topics as privacy, accessibility and geopolitical intelligence. This includes developing and implementing global programs that enhance the privacy features of Microsoft products, services, processes and systems. Hargraves focuses on evaluating enterprise policies, risk management and corporate governance structures as they relate to privacy management and is also involved in analyzing technology policy areas such as Radio Frequency ID (RFID) as an advocate for strong privacy safeguards.
Previously, Hargraves managed the business/IT internal audit team at Microsoft, engaging in audit support initiatives to assess systems risk and performing audits across Microsoft's business units. Hargraves was responsible for providing integrated systems audit support services for operations audits, systems development and process reengineering. In addition, she developed a privacy assurance program to enhance Microsoft's ability to ensure compliance with related laws, regulations, corporate directives and best practices.
Prior to joining Microsoft, Hargraves held positions at PricewaterhouseCoopers related to security consulting and financial auditing. She also conducted financial analysis for Specialty Brands.
Hargraves is a member of the International Association of Privacy Professionals, the Institute of Internal Auditors and the Information Systems Audit and Control Association. She holds CIPP, CPA, and CISA certifications.
Podcasts Featuring Kim Hargraves: Protecting Information Privacy - How To and Lessons Learned
Dr. Thomas B. Hilburn is a Professor Emeritus of Software Engineering at Embry-Riddle Aeronautical University. He has worked on software engineering research and education projects with the FAA, General Electric, Harris Corp, the MITRE Corporation, DOD, FIPSE, the SEI, and the NSF.
His current interests include software processes, object-oriented design, formal specification techniques, and curriculum development, and he has published over 60 papers in these areas. He is an IEEE Certified Software Developer, SEI-Certified PSP Developer, and currently chairs the Curriculum Committee of the IEEE-CS Educational Activities Board and Planning Committee of the IEEE-CS Professional Activities Board.Podcasts Featuring Thomas Hilburn: Software Assurance: A Master’s Level Curriculum
Dr. Gary Hinson PhD MBA CISSP CISM CISA is an IT governance specialist with over two decades in information security, risk management and IT audit. Having been employed by large pharmaceuticals, utilities, engineering, IT and financial services companies, he has been consulting since the turn of the millennium. Gary is passionate about information security awareness and the ISO/IEC 27000-series information security management standards, contributing to the continued development of the ISO27k standards through Standards New Zealand.
Podcasts Featuring Gary Hinson: Getting in Front of Social Engineering
Ralph Hood is the Lead Program Manager for the Security Development Lifecycle (SDL) in Microsoft's Trustworthy Computing Group. He is responsible for the security policy development best practices that all Microsoft product groups are required to follow. Prior to his current role, Ralph spent two years as the project manager in the Microsoft Automotive group. Other roles in his 10 year career at Microsoft have included Lead Security Program Manager in the Windows Sustained Engineering team, and Active Directory deployment and support in the Microsoft's internal IT organization. Prior to joining Microsoft, Ralph managed the IT infrastructure and helpdesk at the corporate headquarters of The Salvation Army in Southern California.Podcasts Featuring Ralph Hood: Integrating Privacy Practices into the Software Development Life Cycle
Kim Howell is the Director of Privacy Governance in Microsoftâ€™s Trustworthy Computing Group (TwC). She has been working at Microsoft for nearly 10 years, 8 of those in privacy. Her team manages the corporate privacy policies and standards, and is the primary point of contact between TwC and the Business Group Privacy Managers who are responsible for policy compliance. She is a two-time recipient of the MS Trustworthy Computing Privacy Excellence Award, and frequently presents at privacy conferences such as those held by the International Association of Privacy Professionals.
Prior to working at Microsoft, Kim worked in both the financial and publishing industries. She has a Master's Degree in Applied Statistics and a background in database marketing, building statistical models for targeted marketing.Podcasts Featuring Kim Howell: Integrating Privacy Practices into the Software Development Life Cycle
Mike joined the Raleigh office of Womble Carlyle Sandridge & Rice, PLLC, on June 1 of this year after having practiced for 20 years at the Smith Anderson firm in Raleigh. Mike represents clients nationally in areas of privacy and data protection, including HIPAA, Gramm-Leach-Bliley, state privacy and data breach laws, PCI Security Standards, and CAN-SPAM. Mike co-authored the American Medical Association's HIPAA Policies and Procedures Desk Reference and Field Guide to HIPAA Implementation. Mike also co-authored a chapter in West's Health Law Handbook titled "De-identified Health Information: Legal and Practical Approaches to HIPAA Compliance." Governor Mike Easley appointed Mike to the North Carolina Medical Care Commission. Mike also is on the Board of the North Carolina Society of Health Care Attorneys and a co-founder of the Carolina Privacy Officials Network. Podcasts Featuring Scot Ganow: The Value of De-Identified Personal Data
Philip Huff is the Manager of Security and Compliance at Arkansas Electric Cooperative Corporation with responsibility in SCADA (Supervisory Control and Data Acquisition) security and CIP (Critical Infrastructure Protection) compliance. He received his undergraduate degree from Harding University and a Master's in Computer Science/Information Security from James Madison University. He is a CISSP and holds DoD certifications in information system security. Currently, he serves as Vice Chair on the team to draft the next version of the NERC (North America Electric Reliability Corporation) cyber security standards for the electric industry.Podcasts Featuring Philip Huff: Public-Private Partnerships: Essential for National Cyber Security
Steve Huth is the Deputy Director for Operations in the CERT Program and a Senior Member of the Technical Staff at Carnegie Mellon University's Software Engineering Institute (SEI). He has over 25 years of experience in software development, network design and management, information security, and technical and program management. Currently he is working with the Supreme Council of Information and Communication Technology in Qatar to develop Q-CERT and the GCC-CERT.
Prior to joining the CERT Program, Huth was the SEI's IT Manager and the Data Network Manager for the University of Pittsburgh.Podcasts Featuring Steve Huth: IT Infrastructure: Tips for Navigating the Tough Spots
Nicholas Ianelli is a member of the technical staff at the Software Engineering Institute's CERT® Coordination Center (CERT/CC). Nick is an analyst on the CERT/CC's Artifact Analysis team researching malicious code. Prior to joining the CERT/CC, Nick worked as a network engineer at a national (US) Internet service provider.
Podcasts Featuring Nicholas Ianelli: Tackling The Growing Botnet Threat
M. Eric Johnson is Director of Tuck's Glassmeyer/McNamee Center for Digital Strategies and Professor of Operations Management at the Tuck School of Business, Dartmouth College. His teaching and research focuses on the impact of information technology on supply chain management. Through funding from the National Institute of Standards and Technology, Department of Justice, and the Department of Homeland Security, he is currently studying how information security and trust effect supply chain relationships. He has testified before the US Congress on information security and published recent articles on security and collaboration in the Financial Times, Sloan Management Review, IEEE Security and Privacy, and CIO Magazine. He holds a B.S. in Engineering, B.S. in Economics, an M.S. in Engineering and Operations Research from Penn State University, and a Ph.D. in Engineering from Stanford University.
Podcasts Featuring M. Eric Johnson: Inadvertent Data Disclosure on Peer-to-Peer Networks
Ray is a Senior Consultant with APQC, a not-for-profit research institute with over 30 years of systematic quality and process improvement research. Prior to joining APQC, Ray was the IBM executive who led the development of the Smart Grid Maturity Model (SGMM), with support from APQC and the Global Intelligent Utility Network Coalition, starting in 2007 through its donation for long term stewardship to Carnegie Mellon University's Software Engineering Institute (SEI) in March of 2009.
Ray has since retired from IBM, but not retired from work. His roles at APQC include assisting utilities in taking advantage of the SGMM as a tool to support their smart grid initiatives. He is also participating in efforts to replicate the success of the SGMM with similar model development for other segments of the energy industry.
Ray joined IBM's Global Energy and Utilities Industry in 2006 and played an integral role in creating the business case and strategy that helped spark IBM's investment in Intelligent Utility Networks (IUN), or smart grids. He had a total 32 years experience with IBM, holding multiple positions in sales, management, marketing, strategy, and product management. He is a graduate of the University of Tennessee and now lives and works out of St. Petersburg, Florida and Jonesport, Maine.Podcasts Featuring Ray Jones: Introducing the Smart Grid Maturity Model (SGMM)
Steve Kalinowski is a senior member of the technical staff and the manager of the CERT Infrastructure Group at the Software Engineering Institute (SEI). Working with a small cadre of professionals in information technology, Kalinowski is responsible for the evolution and operation of the CERT Program's information infrastructure. He also approves all core technical purchases and collaborates with the CERT director's office on management of program policy.
Previously, Kalinowski was a software developer on a team that designed and implemented the CERT Knowledgebase. Prior to joining the SEI, he was the UNIX computing services coordinator for the University of Pittsburgh. Early in his career, he was a software developer on products related to intelligent electronics troubleshooting and factory management systems.
Kalinowski holds an Information Security Management certificate and an MS in Public Management from Carnegie Mellon University and a BS in Computer Science from the University of Pittsburgh. He is a member of the Institute for Electrical and Electronic Engineers (IEEE), the Association of Computing Machinery (ACM), and USENIX/SAGE.Podcasts Featuring Steve Kalinowski: IT Infrastructure: Tips for Navigating the Tough Spots
Georgia Killcrece is a Member of the Technical Staff in the CERT Program at the Software Engineering Institute (SEI). She has over seventeen years direct experience within the CERT/CC in developing and transitioning best practices for developing effective incident response teams. Since 1999 Killcrece has led the CERT CSIRT Development Team within the CERT Program.
She takes an active role in promoting the development of computer security incident response teams (CSIRTs) worldwide and has worked directly with a number of government, industry, and academic enterprises to facilitate the development of their incident management capabilities. Her team is involved in developing products aimed at evaluating CSIRT capabilities that can be transitioned to the global incident response community.
Killcrece is internationally recognized as a leader in CSIRT development activities and has been a guest lecturer and invited speaker at numerous international conferences and government venues. She chaired the 2006 FIRST conference, an international forum representing over 180 government, academia, and industry response teams.
Killcrece manages and participates in the creation and delivery of a suite products targeted at creating, managing, and sustaining effective incident management practices, including technical reports, articles, public and on-site training, as well as facilitated workshops focused on CSIRT development. She is an author and contributor to a series of CSIRT documents that define best practice approaches for effective incident response. More information about the CSIRT Development Team is available on the CERT web site at http://www.cert.org/csirts/.
Killcrece can be reached directly by email at email@example.com.Podcasts Featuring Georgia Killcrece: The Real Secrets of Incident Management
Kelly Kimberland manages the SEI's media relations and analyst relations programs. In this role, she has successfully grown media coverage of the SEI, launched the Institute's first analyst relations program, developed and implemented PR campaigns, and is the project leader for this year's Annual Report. She provides consultation to senior executives on strategic messaging, facilitates press/analyst briefings, and conducts media relations training for new employees. Her professional background includes managing employee communications program, producing corporate magazines organizing events, and contributing articles to the Pittsburgh Post-Gazette and F.L. Primo Magazine.
She has served on the Public Relations Society of America Pittsburgh Chapter Board of Directors for five years, most recently as the chapter's treasurer and National Assembly delegate. She is an adjunct instructor in advanced public and media relations at Duquesne University. She has a Bachelor of Arts degree from Washington and Jefferson College, a Master of Arts degree from Duquesne University, and most recently became Accredited in Public Relations from the Public Relations Society of America.Podcasts Featuring Kelly Kimberland: Crisis Communications During a Security Incident
Gene Kim is the CTO and founder of Tripwire, Inc. Since 1999, he has been studying high-performing IT operations and security organizations. In 2004, Kim co-founded the IT Process Institute, which is dedicated to research, benchmarking and developing prescriptive guidance for IT operations and security management and auditors. In 2004, he co-authored the "Visible Ops Handbook: Implementing ITIL in Four Practical And Auditable Steps" and was a principal investigator on the IT Controls Performance Study project, completed in 2006. He currently serves on the Advanced Technology Committee for the Institute of Internal Auditors. In 2005, he co-authored the IIA guide "Auditing Change and Patch Management Controls" and is part of the GAIT task force, which has created guidance on how to scope IT general controls for SOX-404.
Podcasts Featuring Gene Kim: Connecting the Dots Between IT Operations and Security
Change Management: The Security 'X' Factor
After serving in the U.S. Navy as Director of Computer-Aided Ship Design at the Bureau of Ships and Design Superintendent at the Pearl Harbor Naval Shipyard, Mr. Kreitner has for the past 36 years been President and CEO of two information technology companies, Response of Hawaii, Inc. and American Information Systems, Inc (1971-89), a number of hospitals (1989-2000), and since 2000, The Center for Internet Security.
From 1989-2000, he served as President and CEO of the Reading Rehabilitation Hospital and as President/CEO of the Southeastern Region of the Adventist Health System, with responsibility for seven acute care hospitals in four states. He served as a Board Member of the parent company and was Chairman of the Board of several of the hospitals.
Mr. Kreitner is the founding President and CEO of The Center for Internet Security. He earned an undergraduate degree from the U.S. Naval Academy and graduate degrees from Webb Institute and American University.Podcasts Featuring Clint Kreitner: Reducing Security Costs with Standard Configurations: U.S. Government Initiatives
Getting to a Useful Set of Security Metrics
Deborah Lafky, PhD, serves as the subject matter expert and program officer for Healthcare Information Technology (HIT) Security/Cybersecurity within the Office of the National Coordinator for Health IT (ONC). As the nation moves forward with large-scale HIT adoption, creating a safe and secure health information environment is of paramount importance. ONC's HIT security and cybersecurity programs provide critical support for the privacy and security of health information.
Deborah's experience includes:
- White House HIT Task Force: Cybersecurity Working Group coordinator
- National Strategy for Trusted Identities in Cyberspace (NSTIC) | Inter-Agency committee delegate for HHS, HIT SME
- National Science and Technology Council (NSTC) Sub-Committee on Biometrics and Identity Management | Identity Management Task Force
- Federal CIO Council Identity, Credentialing and Access Management Sub-Committee (ICAMSC) | Citizen Outreach Focus Group
- HIMSS Patient Identity Integrity Work Group
Podcasts Featuring Deborah Lafky: Considering Security and Privacy in the Move to Electronic Health Records
Brett Lambo is the Director of the Cyber Exercises Program for the U.S. Department of Homeland Security's National Cyber Security Division (NCSD). Mr. Lambo leads the NCSD Cyber Exercises Program which, in collaboration with cyber security partners, designs, develops, and conducts cyber exercises at the federal, state, regional, local, and sector level.
Prior to his position at NCSD, Mr. Lambo played a lead role in the DHS Office of Infrastructure Protection's Critical Infrastructure protection partnership efforts. He was closely involved in the creation, development, implementation, and operation of the sector partnership and the Critical Infrastructure Partnership Advisory Council (CIPAC), DHS's principal mechanism for public-private and federal/state collaboration for critical infrastructure protection. Other engagements included the information sharing strategy for the National Infrastructure Protection Plan (NIPP), as well as the development and exercise of the Office of Infrastructure Protection's incident management plans, procedures and operations including deployment for real-world incidents such as Hurricane Katrina and the 2007 California wildfires.
Prior to his tenure at DHS, Mr. Lambo spent almost 10 years as a consultant to federal and state government agencies. Mr. Lambo holds a B.A. in Political Science from the University of Chicago.Podcasts Featuring Brett Lambo: Conducting Cyber Exercises at the National Level
Dr. Barbara Laswell is the technical manager and director of the Practices, Development and Training group in the CERT Program at the Software Engineering Institute (SEI). Laswell's work focuses on enhancing the transition of cyber security knowledge through practices and training with the vision of creating an information assurance empowered global workforce. She manages training and education initiatives for organizations in the public and private sectors, both in the U.S. and internationally.
Her current responsibilities include assisting organizations and nations in building computer security incident management capabilities and providing the Internet community with practices and methodologies for securing network-based and software intensive systems and for addressing known deficiencies in todays technology.
She manages the design, development, delivery, and evaluation of information assurance curricula for technical staff, managers, senior executives, and educators. Currently at the CERT Training and Education Lab, the team is creating a state-of-the-art virtual training environment to provide anytime, anywhere in-depth scenario-based training at the individual, team, and enterprise levels.
Laswell received her B.A. degree from the State University of New York at Albany, and M.A. and Ph.D. degrees from Stanford University. Her professional research interests focus on knowledge formation, problem-centered instructional design, the design and evaluation of education systems, and learning organizations. She is a member of the American Educational Research Association and the American Society for Training and Development.Podcasts Featuring Barbara Laswell: Building Staff Competence in Security
Martin Lindner is a senior member of the technical staff in the CERT Program at the Software Engineering Institute (SEI) and is focused on providing technical support and expertise to U.S. government agencies.
In his previous role as the team leader for the incident handling, Lindner was responsible for overseeing and processing all the security incidents reported to the CERT/CC. Lindner worked with government agencies, other CSIRTs, vendors, ISPs and security experts to understand and limit the impact of malicious Internet activity.
Lindner lead the cyber investigation of the August 14, 2003 Northeast power outage and had a lead role in designing national and international cyber exercises including Livewire and Cyberstorm.
Prior to joining the SEI, Lindner worked at the University of Pittsburgh for 18 years, where he held numerous positions, including manager of desktop services and network manager. As the manager of desktop services, Lindner was responsible for all aspects of the PC desktop operations for the university. As the network manager, Lindner designed and implemented the tools used to control, manage, and study the university's network.
Lindner teaches Internet Security at Carnegie Mellon University's Heinz College.Podcasts Featuring Martin Lindner: Proactive Remedies for Rising Threats | More Targeted, Sophisticated Attacks: Where to Pay Attention
Richard Linger is a Senior Member of the Technical Staff and Manager of the CERT Secure Systems Analysis Group at the Software Engineering Institute, Carnegie Mellon University. He directs research and development on Function Extraction (FX) technology for software behavior computation, with a focus on malware analysis and software test and evaluation. He has also served as an adjunct faculty member at the CMU Heinz School of Public Policy and Management.
At IBM, Richard co-developed Cleanroom Software Engineering technology for development of high reliability software systems, including box-structure specification, function-theoretic design and correctness verification, and statistical usage-based testing for certification of software fitness for use. He has extensive experience in project management; software specification, design, verification, testing, and certification; software re-engineering and reverse engineering; and technology transfer and education. He has published three software engineering textbooks, 12 book chapters, and over 60 papers and journal articles. He is a member of the AIAA and ACM, and a senior member of the IEEE.Podcasts Featuring Richard Linger: Software Assurance: A Master’s Level Curriculum
Thomas Longstaff is the Deputy Director for Technology in the CERT Program at the Software Engineering Institute (SEI). Longstaff has spent the past 12 years managing and initiating many of the CERT/CC's projects and initiatives such as the CERT Analysis Center, CERT Research Center, many survivability projects, and most recently Network Situational Awareness. His current scope of work includes evaluating technology across the entire CERT Program to assure continued quality and innovation of all the work at CERT. Longstaff is responsible for strategic planning for the program, technology scouting for promising avenues to address security problems, and operating as a point of contact between research projects at Carnegie Mellon University and CERT.
Prior to coming to the Software Engineering Institute, Longstaff was the technical director at the Computer Incident Advisory Capability (CIAC) at Lawrence Livermore National Laboratory in Livermore, California. Longstaff obtained his M.S. in 1986 and Ph.D. from the University of California, Davis in 1992 in software environments, and his B.A. from Boston University in 1983 in Physics and Mathematics.
Longstaff's publications span topics such as security policy, information survivability, insider threat, intruder modeling, and intrusion detection. His awards include Best Paper in 1995 at the NCSC Conference and the Carnegie Mellon University Andy Award for Outstanding Innovation in 2000.Podcasts Featuring Tom Longstaff: Evolving Business Models, Threats, and Technologies: A Conversation with CERT's Deputy Director for Technology
Stephanie Losi is a graduate of the Information Security Policy and Management program at Carnegie Mellon University in Pittsburgh, Pennsylvania. While at Carnegie Mellon, she worked with CERT's Practices, Development & Training team to develop security awareness training and policies for executives and information security personnel.
In addition, Losi has authored online courses dealing with business ethics and served as managing editor of the E-Commerce Times. Her undergraduate degree is a B.S. in journalism from Northwestern University.Podcasts Featuring Stephanie Losi: The ROI of Security
Paul Love, CISSP, CISA, CISM, Security+, has been in the IT and Information Security field over 15 years. Paul holds a Masters of Science degree in Network Security and a Bachelors of Arts in Information Systems. He has recently co-authored Security Visible Ops as well as three other security and IT books, contributed to multiple Linux/Unix books, and has been the technical editor for over 10 Linux and Unix books with major publishers. Paul is currently the Director of Information Security at The Standard.
Podcasts Featuring Paul Love: Making Information Security Policy Happen
Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI), Carnegie Mellon University. Since joining CERT in 2001, Manion has studied vulnerabilities, coordinated disclosure efforts, and published advisories, alerts, and vulnerability notes for CERT/CC and US-CERT. Manion currently focuses on vulnerability discovery and other areas of applied research, including ways to automate and improve operational vulnerability response. Prior to joining the SEI, Manion was the Director of Network Infrastructure at Juniata College.
Podcasts Featuring Art Manion: Managing Security Vulnerabilities Based on What Matters Most | Securing Industrial Control Systems | How to More Effectively Manage Vulnerabilities and the Attacks that Exploit Them
Tim Mather is Vice President and Chief Security Strategist for RSA, The Security Division of EMC. He is responsible for keeping ahead of security industry trends, technology, and threats for the RSA Conference.
Prior to RSA, Mather was Vice-President of Technology Strategy in Symantec’s Office of the Chief Technology Officer, responsible for coordinating the company’s long-term technical and intellectual property strategy. In addition, he served for nearly seven years as VP and Chief Information Security Officer (CISO), responsible for developing information systems security policies, overseeing implementation of all security-related policies and procedures, and information systems audit-related activities. He also worked with internal products groups on security capabilities in Symantec products.
Mather is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM). He holds Masters Degrees in National Security Studies from Georgetown University, and International Policy Studies from Monterey Institute of International Studies. He holds a Bachelor’s Degree in Political Economics from the University of California at Berkeley.Podcasts Featuring Tim Mather: The Upside and Downside of Security in the Cloud
David Matthews is currently the Deputy Chief Information Security Officer for the City of Seattle. He has worked in the Information Technology field since 1992. He began working for the City of Seattle as the Technology Manager for the Legislative Department (City Council) in 1998. In early 2005 he was selected to be the first Deputy CISO for the City and has also served as Acting CISO.
He is a participant and leader in regional information security organizations. He is co-chair of the US-CERT/DHS sponsored North West Alliance for Cyber Security (NWACS) and an active participant in the Agora, Pacific CISO forum (PACISSO), Computer Technology Investigators Network (CTIN), ISSA, ISACA, InfraGuard and ISC2. He participates on the local Critical Infrastructure Protection sub-committee of the Regional Homeland Security team, and also works with a national infrastructure protection group The Infrastructure Security Partnership. He is the winner of the West Region Information Security Executive of the Year award for 2008.Podcasts Featuring David Matthews: Integrating Security Incident Response and e-Discovery
Joe Mayes is a member of the technical staff within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. He manages curriculum and training delivery platforms for cybersecurity products for the U. S. Cyber Command, Air Force Research Laboratory, NORAD-US Northern Command, and the Federal Virtual Training Environment (Fed-VTE). Mayes has also been a part-time Cisco instructor and consultant since 2007 for Skyline Advanced Technology Services in the fields of IP telephony, network security, wireless networking, and streaming media solutions for sports venues. In addition to his work at the SEI, Mayes spent 10 years as a Sergeant Major in Information Operations, in the U.S. Army Reserve.
Mayes is a Microsoft Certified Trainer, a Cisco Certified Academic Instructor, a Cisco Certified Systems Instructor, and a certified instructor for the U.S. Army. He founded the Cisco Networking Academy and the Wired and Wireless Communications Technology programs at Bellevue Community College. He has more than 25 current IT certifications in IT networking, information security, and wireless and telephony technologies, including CISSP, MCSE, CCSP, and Certified Electronics Technician in Telecommunication Electronics.
Mayes has a Master's degree in education from the University of Washington and a Bachelor of Science degree from Western Washington University.
Podcasts Featuring Joe Mayes: Securing Mobile Devices aka BYOD
Chris May is the technical manager of CERT's Workforce Development team. CERT is a program at the Software Engineering Institute, a unit of Carnegie Mellon University in Pittsburgh, PA. Chris leads large projects with numerous U.S. Government agencies including the Department of Homeland Security and the Department of Defense. Additionally, he teaches graduate courses in applied information assurance and computer forensics for CMU’s Information Networking Institute.
Prior to joining the SEI, Chris served eight years in the U.S. Air Force as a communications/computer systems officer. He served in various IT positions in Korea, Japan, and throughout Europe and the United States. May's last Air Force assignment was Chief of the Network Control Center at the United States Air Force Academy in Colorado Springs, Colorado. He led over 90 technicians, supporting 9,000 users, in the daily operations and maintenance of the 3rd largest base network in the U.S. Air Force.
Chris received his bachelor's in education from Indiana University of Pennsylvania, and a master's in computer resources management from Webster University. He is a Certified Information Systems Security Professional (CISSP), a Microsoft Certified Trainer (MCT), and a Microsoft Certified Systems Engineer (MCSE). Chris is also a Cisco Certified Network Associate (CCNA), and a distinguished graduate of the U.S. Air Force Basic/Advanced Communications Officer Training School in Biloxi, Mississippi.Podcasts Featuring Chris May: Better Incident Response through Scenario Based Training
Gary McGraw is the CTO of Cigital, Inc., a software security and quality consulting firm with headquarters in the Washington, D.C. area. He is a globally recognized authority on software security and the author of six best selling books on this topic. The latest, Exploiting Online Games was released in 2007. His other titles include Java Security, Building Secure Software, Exploiting Software, and Software Security; and he is editor of the Addison-Wesley Software Security series.
Dr. McGraw has also written over 90 peer-reviewed scientific publications, authors a monthly security column for informIT, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Fortify Software and Raven White.
His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean's Advisory Council for the School of Informatics. Gary is an IEEE Computer Society Board of Governors member and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine.
Podcasts Featuring Gary McGraw: How to Start a Secure Software Development Program | An Experienced-Based Maturity Model for Software Security | How to Develop More Secure Software: Practices from Thirty Organizations
Nancy R. Mead is a senior member of the technical staff in the CERT Program at the Software Engineering Institute (SEI), Carnegie Mellon University. Mead is also a faculty member in the Master of Software Engineering and Master of Information Systems Management programs at Carnegie Mellon University. Her research interests are in the areas of information security, software requirements engineering, and software architectures.
Mead has more than 150 publications and invited presentations. She is a Fellow of the Institute of Electrical and Electronic Engineers, Inc. (IEEE) and a Distinguished Member of the Association for Computing Machinery (ACM). Dr. Mead received her PhD in mathematics from the Polytechnic Institute of New York, and received a BA and an MS in mathematics from New York University.
Podcasts Featuring Nancy Mead: Identifying Software Security Requirements Early, Not After the Fact | Software Assurance: A Master’s Level Curriculum
Dr. Nader Mehravari is with the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. His current areas of interest and research include operational resilience, protection and sustainment of critical infrastructure, preparedness planning, and associated risk management principles and practices.
Nader was with Lockheed Martin from 1992 through 2011. In his most recent assignment, he was the Director for Business Resiliency. In this capacity, he led and oversaw all preparedness planning and associated governance and compliance activities. He was responsible for building and leading Lockheed Martin's resiliency program where he successfully implemented a modern, integrated, risk management based approach to disaster recovery, business continuity, pandemic planning, crisis management, emergency management, and workforce continuity for all of Lockheed Martin.
Prior to Lockheed Martin, Nader was a distinguished member of the technical staff at AT&T Bell Laboratories, where he was involved with the design, development, and performance analysis of new telecommunications systems.
Nader received his MS and PhD in Electrical Engineering from Cornell University and his BS in Electrical Engineering from George Washington University. He is currently an Adjunct Professor at Departments of Electrical and Computer Engineering of Cornell University and Syracuse University. He also currently serves as the chair of the Advisory Council for Cornell University's School of Electrical and Computer Engineering.
Podcasts Featuring Nader Mehravari: Managing Disruptive Events: Making the Case for Operational Resilience | Managing Disruptive Events: Demand for an Integrated Approach to Better Manage Risk
Sam Merrell is a member of the technical staff in the CERT Program at the Software Engineering Institute (SEI).
As a part of the Survivable Enterprise Management Team, Merrell works with organizations to improve their information security management practices. This work has included FISMA compliance efforts and analysis of information security programs of Federal agencies. He is currently working on Critical Information Infrastructure Protection projects within the U.S. as well as internationally.
Prior to joining the SEI, Merrell spent seven years as the Information Technology Manager for a Pittsburgh-area community bank. Prior to that, he was an information technology consultant, primarily supporting the IBM AS/400. Merrell holds an undergraduate degree from the University of Pittsburgh and holds the CISSP certification as well as the SANS GGSC certificate.
Podcasts Featuring Sam Merrell: Initiating a Security Metrics Program: Key Points to Consider | Public-Private Partnerships: Essential for National Cyber Security
Matthew Meyer, vice president, is M&I Corporation's Business Continuity Manager since 2004. Matthew has held various positions in information security and business continuity and disaster recovery in his 18-year career with M&I. Meyer is a Certified Business Continuity Professional (CBCP) and Certified Information Systems Security Professional (CISSP).
Matthew earned a Bachelor of Business Administration degree from the University of Wisconsin-Whitewater and a Master of Business Administration from Cardinal Stritch University. He also serves on the board of directors for the Southeast Wisconsin Homeland Security Partnership, Inc. (SWHSP) and is an active member of the Business Resumption Planners Association of SE WI.Podcasts Featuring Matthew Meyer: Train for the Unexpected
Sammy Migues is a Principal at Cigital, Inc. He has spent nearly three decades advancing the cause of information security through entrepreneurial innovation, intellectual capital development, practical business solutions, and performance optimization. Migues has experience in chief architect, chief technologist, and evangelist roles, working directly with customers, product developers, and consultants.
As a founding member of four security services organizations, Migues was responsible for creating the practical knowledge leveraged for repeatability and business growth. As an early participant in activities ranging from NSA "Rainbow Books", NIST Common Criteria, and DoD DITSCAP initiatives to state-of-the-art compliance management and software security risk models, he made critical observations on the evolving relationships between information security threat, vulnerability, risk, and business objectives. Migues expressed many of these ideas in various publications and workshops, as well as in patent applications for the iDEFENSE intelligence generation process, the TruSecure risk management process, and the Cybertrust security risk index. Most recently he has been working on the Build Security In Maturity Model (BSIMM) for software security groups.
Migues holds a BS in Computer Science and a Master’s degree in Information Security.Podcasts Featuring Sammy Migues: An Experienced-Based Maturity Model for Software Security | | How to Develop More Secure Software: Practices from Thirty Organizations
Joji Montelibano is the Technical Manager of the Vulnerability Analysis Team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. He has over 15 years' experience in the fields of software development and network engineering. He began his career developing software for the petroleum and chemical industries, where he created customized simulation programs for companies such as Shell Oil, Sunoco, and Foster Wheeler. Prior to joining CERT, Joji was a Senior Information Security Analyst for the RAND Corporation, where his main projects focused on securing and ensuring the availability of military networks and communications.
He holds an undergraduate degree in Chemical Engineering from Stanford University, and Master's degrees from Harvard University and the University of Southern California. He is co-author of three books dealing with military communications - Bits on the Ground: Closing the Gaps in Defense of the Army's Networks (RAND, 2010), Navy Network Dependability: Models, Metrics, and Tools (RAND, 2010), and Finding Services for an Open Architecture (RAND, 2011). Joji holds numerous certifications, including the CISSP, CCNP (Cisco), ACSA (ArcSight), and CSTE (Quality Assurance Institute).Podcasts featuring Joji Montelibano: NIST Catalog of Security and Privacy Controls, Including Insider Threat
Andrew P. Moore is a senior member of the CERT technical staff at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. Moore explores ways to improve the security, survivability, and resiliency of enterprise systems through insider threat and defense modeling, incident processing and analysis, and architecture engineering and analysis.
Before joining the SEI in 2000, he worked for the Naval Research Laboratory (NRL) investigating high-assurance system development methods for the Navy. He has over twenty years’ experience developing and applying mission-critical system analysis methods and tools, leading to the transfer of critical technology to both industry and the military.
Moore has published two book chapters and a wide variety of technical journal and conference papers. His research interests include computer and network attack modeling and analysis, IT management control analysis, survivable systems engineering, formal assurance techniques, and security risk management. Moore received his BA in Mathematics from the College of Wooster and MA in Computer Science from Duke University.
Podcasts Featuring Andy Moore: Mitigating Insider Threat: New and Improved Practices
Kevin Moore is a member of the technical staff in the CERT Forensics Team at Carnegie Mellon University's Software Engineering Institute .
In addition to providing operational support to law enforcement and intelligence agencies on emerging trends in forensics, Kevin helps maintain and develop the CERT Forensics lab, including CERT's Clustered-Computer Analysis Platform (CCAP) environment.
Prior to joining the SEI, Kevin worked in the private sector performing global forensic and electronic discovery investigations. He holds a B.S. degree in Economic Crime Investigation from Utica College of Syracuse University.Podcasts Featuring Kevin Moore: TJX, Heartland, and CERT’s Forensics Analysis Capabilities
Patricia B. Morrison is executive vice president and chief information officer for Motorola. In this role, Morrison oversees all strategic, operational and financial aspects of the company's information technology architecture, systems, tools, processes and infrastructure. Patty joined Motorola in 2005 and has led an effort to build a global IT organization that delivers world-class IT value creation. In her first year, Motorola jumped from a #46 to a #12 ranking among the InformationWeek Top 500 IT innovators for 2006, and #1 in the manufacturing industry segment.
Morrison brings Motorola more than 20 years of systems and IT expertise in a wide variety of roles. Before joining Motorola in 2005, Morrison served as executive vice president and chief information officer of Office Depot, Inc., where she led the transformation of Office Depot's IT architecture and helped the company to achieve more than $100 million in efficiency improvements.
Prior to Office Depot, Morrison served as CIO of The Quaker Oats Company in Chicago. As CIO, Morrison oversaw Quaker's systems integration with PepsiCo following Pepsi's acquisition of Quaker Oats in 2001. She serves on the boards of the Chicago Symphony Orchestra, the Lyric Opera of Chicago and Jo-Ann Stores, Inc., where she chairs the board's governance committee.Podcasts Featuring Patty Morrison: Dual Perspectives: A CIO's and CISO's Take on Security
David Mundie is a member of the CSIRT Development Team within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. He has been at CERT since 2000 and has worked in a variety of areas including insider threat, malware analysis, and incident management capability metrics. From 2006 to 2009, he was a member of the Q-CERT project, which established a national information security team for the country of Qatar.
David's current research interests include formal ontologies for information security, insider threat patterns, and models of incident information sharing. Prior to joining CERT, he worked at Texas Instruments and Western Digital on compiler development, test engineering, and process improvement.
Podcasts Featuring David Mundie: Using a Malware Ontology to Make Progress Towards a Science of Cybersecurity
Dr. Gregory Newby is Chief Scientist at the Arctic Region Supercomputing Center. His current research focuses on information retrieval and acceleration technology for high-performance computing. Newby has held faculty positions at the University of Illinois at Urbana-Champaign and the University of North Carolina at Chapel Hill. As an advocate for the creation and distribution of digital information, he has worked with Project Gutenberg for over a decade. He lives in the Two Rivers area of Fairbanks, Alaska with his wife, 28 dogs, and one cat.Podcasts Featuring Greg Newby: The Human Side of Security Trade-Offs
Betsy Nichols is a serial entrepreneur who has applied mathematics to develop solutions in satellite mission optimization, industrial process control, war gaming, economic modeling, enterprise systems and network management, and most recently security metrics. Prior to starting PlexLogic, Nichols founded two other software companies in the roles of CTO and VP Engineering. The first company, Digital Analysis Corporation (DAC), implemented network and systems management software. DAC was acquired by Legent Corporation. When Computer Associates acquired Legent, Nichols became one of two principal architects for Unicenter TNG. The DAC technology became the real-time agent infrastructure for Unicenter. In the time Nichols was at CA, Unicenter revenues grew from $50M to over $3B. The second company, ClearPoint Metrics, was the first company dedicated to implementing software products for automating the collection, calculation, and communication of security metrics.
Nichols is an author of five textbooks on microprocessor programming and interfacing as well as numerous articles in both the trade press and academic journals. Most recently, she was co-chair of the Metricon 2.0 Workshop and contributed to Andrew Jaquith's book Security Metrics - Replacing Fear, Uncertainty, and Doubt. Nichols graduated with an A.B. from Vassar College and a Ph.D. in mathematics from Duke University.
Podcasts Featuring Betsy Nichols: Building a Security Metrics Program | Using Benchmarks to Make Better Security Decisions
Alex is a Senior Cyber-Security Analyst with the CERT program at Carnegie Mellon University. Alex serves as the technical lead for Cyber-Security Compliance Validation assessments performed at the behest of the Department of Homeland Security. In addition to his CCV work, Alex also functions as a subject matter expert on various security and privacy related topics including secure operating systems and vulnerability assessments.
Prior to joining CERT, Alex was a Senior Technology Research Fellow at the University of Nebraska at Omaha (A NSA Center of Academic Excellence in Information Assurance), where he served as the Associate Director of the Nebraska University Consortium on Information Assurance.
Alex also worked for BAE Systems at US Strategic Command. Alex served as the primary Systems Architect on the Distributed Command and Control (DC2), designing data centers and large scale redundant/fault-tolerant computing systems. Prior to his work at the University of Nebraska, Alex was a systems administrator and engineer for both Texas Tech University and Purdue University.
Podcasts Featuring Alex Nicoll: Why Organizations Need a Secure Domain Name System
Richard Nolan is a member of the technical staff in the CERT® Program at the Software Engineering Institute (SEI).
Currently, Nolan serves as an internet forensic specialist. In addition to his work in network forensics, Nolan develops best practices for administering and securing information systems and networks. He also develops SEI training courses.
Prior to joining the SEI, Nolan served for seven years as a special agent with the United States Department of Justice. While there, he conducted numerous internet-based investigations and executed dozens of federal search warrants at U.S. internet service providers.
Nolan holds a BS and MS in Education from Duquesne University. He is also a graduate of the FBI Academy and a member of the Federal Law Enforcement Officers Association. Nolans publications include Advanced Information Assurance for Technical Staff: a Forensic Guide to Incident Response for Technical Staff.Podcasts Featuring Richard Nolan: Computer Forensics for Business Leaders: A Primer
Rodney Petersen is a Government Relations Officer with EDUCAUSE and the Coordinator of the EDUCAUSE/Internet2 Computer and Network Security Task Force.
Prior to joining EDUCAUSE, he served as the Director of IT Policy and Planning in the Office of the Vice President and Chief Information Officer at the University of Maryland. Rodney previously held the position of Campus Compliance Officer in the Office of the President at the University of Maryland where he mediated disputes and handled grievances under the Human Relations Code, including claims of discrimination or harassment that increasingly involved misuse of the Internet.
Rodney is the co-editor of a book in the EDUCAUSE Leadership Strategy Series entitled Computer and Network Security in Higher Education. He is a founding member of the Association of College and University Policy Administrators and the author of "A Primer on Policy Development for Institutions of Higher Education" and "A Framework for IT Policy Development."
Rodney writes and speaks regularly on topics related to higher education cyber law and policy. He received his law degree from Wake Forest University and a certificate as an Advanced Graduate Specialist in Education Policy, Planning, and Administration from the University of Maryland.Podcasts Featuring Rodney Petersen: Cyber Security, Safety, and Ethics for the Net Generation
Richard Pethia is the Director of the CERT® Program at Carnegie Mellon Universitys Software Engineering Institute (SEI). The program conducts research and development activities to produce t technology and systems management practices that help organizations recognize, resist, and recover from attacks on networked systems. The programs CERT Coordination Center (CERT/CC) has formed a partnership with the Department of Homeland Security to provide a national cyber security system, US-CERT.
Pethia is also a co-director of Carnegie Mellon Universitys CyLab. CyLab is a public/private partnership to develop new technologies for measurable, available, secure, trustworthy, and sustainable computing and communications systems. This university-wide, multidisciplinary initiative involves more than 200 faculty, students, and staff at Carnegie Mellon.Podcasts Featuring Richard Pethia: CERT Lessons Learned: A Conversation with Rich Pethia, Director of CERT | Tackling Tough Challenges: Insights from CERT’s Director Rich Pethia
William Pollak is a senior writer/editor, member of the technical staff, and Manager of Communications at the Software Engineering Institute at Carnegie Mellon University. The SEI Communications department includes public and media relations, technical writing and editing, communication design, and web publishing and design.
Pollak received his MA in professional writing from Carnegie Mellon in 1991. He is a member of the adjunct faculty in the Carnegie Mellon English Department, where he teaches Marketing, Public Relations, and Corporate Communications.
Richard Power is a distinguished fellow at Carnegie Mellon University's CyLab. An internationally recognized expert in security, intelligence and risk, Power has conducted executive briefings and led professional training in over thirty countries. He is the author of five books, including Secrets Stolen, Fortunes Lost: Preventing Economic Espionage & Intellectual Property Theft in the 21st Century (Elsevier 2008), which he co-authored with Christopher Burgess of Cisco Systems, and Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace (Macmillan/Que 2000).
Prior to joining Carnegie Mellon, Power served as Director of Security Management and Security Intelligence for the Global Security Office (GSO) of Deloitte Touche Tomatsu and Editorial Director of the Computer Security Institute. During his time at CSI, Power conceived and directed the "CSI/FBI Computer Crime and Security Survey."Podcasts Featuring Richard Power: Climate Change: Implications for Information Technology and Security
Laura Robinson is Principal of Robinson Insight, a unique industry analyst and marketing consulting company. Robinson Insight looks at the many facets of information security and compliance to identify strategies and solutions that can help information security leaders successfully protect information. Currently Laura is also the program director for the Executive Security Action Forum (ESAF), an industry association of Chief Information Security Officers and other executives from the Global 1000 and government.
With over 2 decades of experience in technology, Laura has worked for companies as well as government agencies in North America, Europe and Asia. Her corporate experience includes RSA, Brooks Automation, Cygnus Business Media, Matrox, Mettler Toledo, and a division of Hewlett Packard. She has worked for the Government of Alberta, Canada and the Japanese International Cooperation Agency, to help expand the role of technology in economic development.
Laura has spoken and written widely on the topics of information security and compliance; and she has authored and contributed to several industry standards and best practice frameworks. Laura holds a Bachelor of Commerce with majors in economics and marketing.Podcasts Featuring Laura Robinson: Security: A Key Enabler of Business Innovation
Lawrence R. Rogers is a senior member of the technical staff in the CERT Program (also the home of the CERT Coordination Center). He has been writing articles for the non-computer professional for several years and was the chief architect and main contributor to the CERT Survivability and Information Assurance (SIA) Curriculum (see http://www.cert.org/sia for more information). CERT/CC is part of Carnegie Mellons Software Engineering Institute, a federally funded research and development center located in Pittsburgh, PA.Podcasts Featuring Larry Rogers: A New Look at the Business of IT Education
Dr. Ron Ross is a senior computer scientist and Fellow at the National Institute of Standards and Technology (NIST). His current areas of specialization include information security, testing and evaluation, and risk management. Dr. Ross leads the Federal Information Security Management Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure. Dr. Ross is the principal architect of the Risk Management Framework that provides a disciplined and structured methodology for integrating the suite of FISMA security standards and guidelines into a comprehensive, enterprise-wide information security program.
In addition to his responsibilities at NIST, Dr. Ross supports the U.S. State Department in the international outreach program for information security and critical infrastructure protection. Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. A graduate of the United States Military Academy at West Point, Dr. Ross served in a variety of leadership and technical positions during his twenty-year career in the United States Army. Dr. Ross is a graduate of the Defense Systems Management College and holds both Masters and Ph.D. degrees in Computer Science from the United States Naval Postgraduate School.Podcasts Featuring Ron Ross: Integrated, Enterprise-Wide Risk Management: NIST 800-39 and CERT-RMM | NIST Catalog of Security and Privacy Controls
Robin Ruefle is a member of the technical staff of the CERT Program at the Software Engineering Institute (SEI) at Carnegie Mellon University. Ruefle's focus is on the development of management, procedural, and technical guidelines and practices for the establishment, maturation, operation, and evaluation of Computer Security Incident Response Teams (CSIRTs) worldwide. As a member of the CSIRT Development Team, Ruefle develops and delivers courses for CSIRT managers and incident handling staff. Ruefle has co-authored: Handbook for CSIRTs 2nd Edition, Organizational Models for CSIRTs Handbook, CSIRT Services List, State of the Practice of CSIRTs, Defining Incident Management Processes for CSIRTs: A Work in Progress, and numerous other articles and guides.
She is currently working with the rest of the CSIRT Development Team on developing a methodology for assessing CSIRT and incident management operations. As part of this work she co-authorized the beta version of the Federal Computer Network Defense (CND) Metrics. The Federal CND Metrics are being developed to provide federal, state, and local agencies with a method for evaluating the effectiveness of an agencys incident management or CSIRT capability (focusing on the Protect, Detect, Respond, and Sustain functions).
Ruefle received a BS in political science and an MPIA (Master of Public and International Affairs) from the University of Pittsburgh. She has also taught courses in information technology, management information systems, and information retrieval and analysis as an adjunct faculty member in the both the Continuing Education and MBA programs at Chatham College and in the Graduate School of Public and International Affairs (GSPIA) at the University of Pittsburgh.Podcasts Featuring Robin Ruefle: The Real Secrets of Incident Management
Kristopher Rush is a member of the technical staff in the CERT Program at the Software Engineering Institute (SEI). The CERT Coordination Center is a part of this program.
Before joining the SEI, Kristopher worked with the United States Department of State as a member of the Antiterrorism Assistance Program. During this time he developed and taught courses relating to terrorism and cyber crime to foreign military and police.
Rush received a BA in Cultural Anthropology from the University of Florida and an MS in Information Security Policy and Management from the H. John Heinz III, School of Public Policy and Management, Carnegie Mellon University. He is the co-author of several SEI publications including the First Responders Guide to Computer Forensics: Advanced (CMU/SEI-2005-HB-003) and Defense-in-Depth: Foundations for Secure and Resilient Enterprises (CMU/SEI-2006-HB-003)Podcasts Featuring Kristopher Rush: Inside Defense-in-Depth | Computer and Network Forensics: A Master's-Level Curriculum
Robert C. Seacord is a senior vulnerability analyst in the CERT® Program at the Software Engineering Institute (SEI) in Pittsburgh, PA where he leads the Secure Coding Initiative. Robert is the author of The CERT C Secure Coding Standard (Addison-Wesley, 2008) and Secure Coding in C and C++(Addison-Wesley, 2002) as well as co-author of two other books. Robert is an adjunct professor at Carnegie Mellon University and a technical expert for ISO/IEC JTC1/SC22/WG14, the international standardization working group for the programming language C.Podcasts Featuring Robert Seacord: Mainstreaming Secure Coding Practices
Martin Sebor is a technical leader in the C and C++ compiler tool chain group in the Network Operating Systems Group at Cisco Systems, Inc., where he works on compilers and related development tools as well as the Cisco networking operating system IOS. Among Martin's responsibilities is leading the development and deployment of Cisco Secure Coding Standards. Martin's expertise includes the C and C++ languages and development tools, and the POSIX standard. Martin is Cisco's representative to the C and C international standards committees (PL22.11 and PL22.16 subgroups of the INCITS technical committee for Programming Languages, PL22).
Prior to joining Cisco in 2009, Martin was Chief Architect at Rogue Wave Software where he was also the main implementer of the open source Apache C++ Standard Library.
Martin has a MA in Computer Science from the City University of New York and a BA in Information Systems from the University of Agriculture in Prague.Podcasts featuring Martin Sebor: Cisco's Adoption of CERT Secure Coding Standards
Dr. Timothy Shimeall is a senior member of the technical staff with the CERT Network Situational Awareness Group of the Software Engineering Institute, where he is responsible for overseeing and participating in the development of analysis methods in the area of network systems security and survivability. This work includes development of methods to identify trends in security incidents and in the development of software used by computer and network intruders. Of particular interest are incidents affecting defended systems and malicious software that are effective despite common defenses. Tim is also an Adjunct Professor at Carnegie Mellon University, with teaching and research interests focused on information survivability.
Before joining Carnegie Mellon University, Tim was an Associate Professor at the Naval Postgraduate School in Monterey, California. He taught a variety of topics in software engineering, systems and security and supervised numerous masters and Ph.D. theses. He has taught courses for a variety of educational institutions and private corporations, in both local and distance learning formats.
Podcasts Featuring Timothy Shimeall: Using the Facts to Protect Enterprise Networks: CERT's NetSA Team
George J. Silowash is a Cybersecurity Threat and Incident Analyst within the CERT® at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University. He is part of the Threat Technical Solutions and Standards team. He has over nine years of experience in the information technology field, including systems administration and information security. George's latest work involves developing technical controls using open source software to counter data exfiltration attempts by malicious insiders.
Other areas of interest include privacy and security, digital forensic investigations, and critical infrastructure security. Before joining CERT, George was an Information Systems Security Officer for the United States Department of Justice, National Drug Intelligence Center. He was also a systems administrator for a healthcare company prior to working in the Federal government. In addition, George is an adjunct professor at Norwich University's Information Assurance Program. He has a Master of Science in Information Assurance from Norwich University and is a Certified Information Systems Security Professional (CISSP).
Podcasts Featuring George Silowash: Mitigating Insider Threat - New and Improved Practices Fourth Edition
Thomas J. Smedinghoff is a partner in the Privacy, Data Security, and Information Law Practice at the law firm of Wildman Harrold in Chicago. His practice focuses on the developing field of information law and electronic business activities, with an emphasis on electronic transactions, information security and privacy issues, and the corporate use and management of information generally. Mr. Smedinghoff has been actively involved in developing e-business and information legal policy both in the U.S. and globally. He currently serves as a member of the U.S. Delegation to the United Nations Commission on International Trade Law (UNCITRAL), where he participates in the Working Group on Electronic Commerce and recently completed negotiation of an international treaty titled the United Nations Convention on the Use of Electronic Communications in International Contracts.
He chaired the Illinois Commission on Electronic Commerce and Crime, and drafted the Illinois Electronic Commerce Security Act enacted in 1998. He served as an advisor to the National Conference of Commissioners on Uniform State Laws (NCCUSL) and participated in drafting the Uniform Electronic Transactions Act (UETA).
Mr. Smedinghoff chairs the International Policy Coordinating Committee of the American Bar Association (ABA) Section of Science & Technology Law, and previously was chair of the ABA Electronic Commerce Division and chair of the ABA Section of Science & Technology Law. He is the editor and primary author of the e-commerce book Online Law: The SPA's Legal Guide to Doing Business on the Internet.
Podcasts Featuring Tom Smedinghoff: Information Compliance: A Growing Challenge for Business Leaders
Jonathan Spring is a member of the technical staff with the CERT Network Situational Awareness Group of the Software Engineering Institute, Carnegie Mellon University. He began working at CERT in 2009. He also serves as an adjunct professor at the University of Pittsburgh's School of Information Sciences. His current research topics include monitoring cloud computing and DNS traffic analysis. He holds a Master's degree in information security and a Bachelor's degree in philosophy from the University of Pittsburgh.
Podcasts Featuring Jonathan Spring: Controls for Monitoring the Security of Cloud Services
James Stevens is a senior member of the technical staff in the CERT Program at Carnegie Mellon University's Software Engineering Institute (SEI). As a member of CERT's Resiliency Engineering and Management team James performs information and infrastructure resiliency research and develops methods, tools, and techniques for resilient enterprise management. This work includes designing and delivering various information security risk assessment, analysis, and management technologies for customers in the government and the private sector. James has been working in information security field for over fifteen years and holds a BS degree in Electrical Engineering from the University of Notre Dame and an MBA from Carnegie Mellon University's Tepper School of Business. James is an IEEE member and holds the CISSP certification.Podcasts Featuring James Stevens: The Smart Grid: Managing Electrical Power Distribution and Use
Dan Swanson, CIA, CMA, CISA, CISSP, CAP, is President and CEO of Dan Swanson and Associates. He is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors (IIA). As an independent audit consultant, Dan has completed audit projects for many government, federal, and private sector organizations. Presently, Dan is a Compliance Week columnist and has a monthly column with IT Compliance Institute.
Swanson recently led the writing of the Open Compliance and Ethics Group (OCEG) internal audit guide (IAG) for use in audits of compliance & ethics programs (www.oceg.org) and participated in the COSO small business task force efforts to provide guidance for smaller public companies regarding internal control over financial reporting (www.coso.org).
The author of more than 100 articles on internal auditing and numerous other management topics, Swanson is currently an independent management consultant, a freelance writer, and monthly columnist for Compliance Week.
Podcasts Featuring Dan Swanson: Internal Audit's Role in Information Security: An Introduction
Randy Trzeciak is a senior member of the technical staff with CERT at the Software Engineering Institute (SEI), Carnegie Mellon University. He is a member of a team focusing on insider threat research, including insider threat studies being conducted with the U.S. Secret Service National Threat Assessment Center, the U.S. Department of Defense Personnel Security Research Center, and Carnegie Mellon’s CyLab. Trzeciak also is an adjunct professor at Carnegie Mellon’s H. John Heinz III School of Public Policy and Management. Prior to his position at CERT, Trzeciak managed the Management Information Systems team in the Information Technology Department at the SEI.
Prior to working at the SEI, Trzeciak was a software engineer at the Carnegie Mellon Research Institute. He was a lead developer and database administrator at Computing Services at Carnegie Mellon. Trzeciak also worked for Software Technology, Inc. in Alexandria, Virginia. He holds an MS in Management from the University of Maryland and a BS in Management Information Systems and a BA in Business Administration from Geneva College.
Podcasts Featuring Randy Trzeciak: Mitigating Insider Threat: New and Improved Practices
Cal Waits is the Operational Support technical manager of the CERT Program's Digital Investigation and Intelligence Directorate at Carnegie Mellon University’s Software Engineering Institute.
In addition to providing operational support and developing digital forensic training material for law enforcement and intelligence agencies, the Operational Support team focuses on identifying emerging trends in the forensic field and tool development.
Before joining the SEI, Waits worked for the National Security Agency. He holds an M.S. degree in Information Security from Carnegie Mellon University.Podcasts Featuring Cal Waits: Computer Forensics for Business Leaders: Building Robust Policies and Processes | TJX, Heartland, and CERT’s Forensics Analysis Capabilitiess
Drawing upon a unique combination of more than twenty years of technical, legal, policy, and business experience, Ms. Westby provides consulting and legal services to public and private sector clients around the world in the areas of privacy, security, outsourcing risk management, business continuity, and technology compliance issues. She also serves as Adjunct Distinguished Fellow for Carnegie Mellon CyLab. Prior to forming Global Cyber Risk, Ms. Westby served as senior managing director for PricewaterhouseCoopers (PwC), specializing in outsourcing and cyber security/privacy issues.
Before that, she was president of The Work-IT Group; launched In-Q-Tel, an IT venture capital/solutions company for the CIA; served as director of domestic policy for the U.S. Chamber of Commerce; was senior fellow and director of IT studies for the Progress & Freedom Foundation; practiced law with two top-tier New York firms; and spent ten years in the computer industry specializing in database management systems.
Jody is a member of the bars of the District of Columbia, Pennsylvania, and Colorado and serves as chair of the American Bar Associations Privacy and Computer Crime Committee. She is a member of the World Federation of Scientists Permanent Monitoring Panel on Information Security and represents the ABA on the National Conference of Lawyers and Scientists. She is co-author and editor of four books on privacy, security, cybercrime, and enterprise security programs. She speaks globally and is the author of numerous articles. B.A., summa cum laude, University of Tulsa; J.D., magna cum laude, Georgetown University Law Center; Order of the Coif. You can email Ms. Westby at: westby at mindspring dot com.Podcasts Featuring Jody Westby: The Legal Side of Global Security
Austin Whisnant is a Member of the Technical Staff with the CERT Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA. As a member of the Network Situational Awareness team, she is currently involved in research topics such as novel malware detection methods and detection of network anomalies.
Prior to joining the SEI full time in 2012, Whisnant worked as a graduate student assistant with the same team. During this time, she co-wrote a technical report with Sidney Faber entitled Network Profiling Using Flow, which was published in August 2012. Whisnant has a Master of Science in Telecommunications with a focus on Information Assurance from the University of Pittsburgh where she was awarded the National Science Foundation's Scholarship for Service. She has a Bachelor of Science from Furman University in Computer Science and Mathematics, and multiple certifications including Associate of ISC(2) for CISSP and CNSS 4010-4015.
Podcasts Featuring Austin Whisnant: Using Network Flow Data to Profile Your Network and Reduce Vulnerabilities
David White is a senior member of the technical staff in the CERT Program at the Software Engineering Institute (SEI), a college-level unit at Carnegie Mellon University.
David is a core member of the development team for the CERT Resiliency Management Model (RMM), a process improvement model that provides guidelines for converging and managing security and business continuity from an operational risk perspective. In this role, David is performing technical development on the model and associated products and is leading numerous projects to assist organizations with their adoption and use of the model. David is an instructor for the Introduction to the CERT Resiliency Management Model course and lead appraiser for the RMM appraisal.
Prior to his work in CERT, David held several other positions at the SEI, including management responsibilities for product strategy, contracts and licensing. Before joining the Software Engineering Institute, Mr. White served as vice president of a robotics company and had various responsibilities, including project management, software and hardware engineering, and business development.
David has a bachelor's and a master's degree in engineering from Carnegie Mellon University. He is currently based in New York City.Podcasts Featuring David White: Using the Smart Grid Maturity Model (SGMM) | Managing Relationships with Business Partners to Achieve Operational Resiliency | How Resilient Is My Organization?
Bradford Willke is a senior member of the technical staff within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University. Willke is responsible for leading the Information Security Assessment and Evaluation team, and conducts research, development, and process improvement activities in risk, threat, and vulnerability management methodology related to information security management. Willke also leads projects to develop strategies and provide support for national and international critical infrastructure protection initiatives. In addition, he worked on the development of the SEI’s principle risk assessment methodology, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE™) Method.
Before joining the SEI, Willke managed technology and security operations for computing resources of the 90th Security Police Squadron, Francis E. Warren Air Force Base, Wyoming. Willke served in the United States Air Force as a law enforcement specialist and organizational computer security officer from 1993-1997.
Willke holds a professional certificate in information protection and security from the University of New Haven, and received a BS in information systems technologies from Southern Illinois University at Carbondale. He received an AAS in criminal justice from the Community College of the Air Force, and has been a Certified Information System Security Professional (CISSP) since 2004.Podcasts Featuring Bradford Willke: Managing Risk to Critical Infrastructures at the National Level
William Wilson is a senior member of the technical staff in the CERT® Program at the Software Engineering Institute (SEI).
As the technical manager of the Survivable Enterprise Management Group, Bill is responsible for the development and transition of methods and techniques that assist organizations in enterprise security management and the identification, analysis, mitigation, and management of information security risks.
Before joining the SEI, Bill served as the technical director of the National Security Agency's Software Engineering Center. During his more than twelve years at the NSA, Wilson held positions in software development and acquisition, systems engineering, and technical project management.
Bill holds a bachelor's degree in computer science from the Pennsylvania State University and a master's degree in computer systems management from the University of Maryland.Podcasts Featuring Bill Wilson: Using Standards to Build an Information Security Program | The Path from Information Security Risk Assessment to Compliance
As an IT risk management consultant, Jan Wolynski, provides security and privacy expertise at the executive level for both public and private organizations. Jan is a former 25 year operational member of the Royal Canadian Mounted Police (RCMP) and possesses over 25 years experience in information security. His current role is focused on risk management, privacy, and IT governance.
Jan is very familiar with objectives and controls required for the aspects of IT and business processes. He has used the CobIT control framework and been involved in controls assessments for clients requiring regulatory certification as to their adequacy of internal controls over financial reporting. In addition, he is considered a subject matter expert with respect to risk assessment methodologies, including, BS 7799-3:2006, RCMP/CSE, OCTAVE, IRAM and AS/NZS 4360.
Jan has previously held senior manager and director positions with Deloitte LLP Enterprise Risk Services and PricewaterhouseCoopers LLP Advisory Services. He was PricewaterhouseCoopers Canada’s most senior security practitioner and privacy leader. He currently consults with IBM's Security and Privacy Practice.Podcasts Featuring Jan Wolynski: Virtual Communities: Risks and Opportunities
James Wrubel is a technical manager within the CERT® Program at the Software Engineering Institute (SEI), a unit of Carnegie Mellon University in Pittsburgh, PA.
James leads the team responsible for CERT's Virtual Training Environment (VTE), an on-demand training program for CERT's information assurance, incident response, and cyber forensics course material. James manages customer interaction, engineering, and infrastructure for VTE. James' background is in web application architecture. Prior to joining the SEI he spent ten years implementing web-based solutions in a variety of industries. James holds a BA from the University of Michigan and an MS in IT Management from Carnegie Mellon University.
Podcasts Featuring Jim Wrubel: Using High Fidelity, Online Training to Stay Sharp
Lisa Young, senior member of the technical staff with the Software Engineering Institute of Carnegie Mellon University, has 20+ years of experience in the information technology and telecommunications industry. She holds the designation of Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and is experienced in IT governance, information audit and security, and risk management.
Ms. Young teaches the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) risk-based security assessment methodology at the Software Engineering Institute. Her current line of research provides guidelines for improving the way organizations manage the processes of security, IT Operations, business continuity, compliance, and audit to support the organization's mission and critical success factors.
Podcasts Featuring Lisa Young: Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity | Security Risk Assessment Using OCTAVE® Allegro | Insights from the First CERT Resilience Management Model Users Group