A roundup of influential information security leaders to watch.
(This article originally appeared on Nextgov)
The paucity of women in math and science extends to the data security realm. Women make up 14 percent of federal government cyber personnel, according to a May (ISC)2 global information security workforce study. The number was even lower in the private sector as recently as 2013: 11 percent.
But quantity does not equal quality.
And there is top-notch talent gracing the field across government, academia and industry. Here is an unempirical roundup of 10 influential leaders in information security, who happen to be women.
Ann Barron-DiCamillo, director, U.S. Computer Emergency Readiness Team, Homeland Security Department
Oversees a round-the-clock watch center that collects, processes and shares information on cyberthreats with agencies and industry sectors. The disclosure of a theft of Office of Personnel Management files on 21.5 million national security-sensitive personnel and their families thrust her into the national spotlight -- a position she was uncomfortable with as an evangelist of confidentiality. Testifying at a House hearing in June on U.S. CERT's role in the response, she acknowledged, "Like many Americans, I too am a victim of these incidents . . . Although I am appearing today ready to provide information to this committee, I do so with some concern" about losing the trust of victims who open up to U.S. CERT. Her organization relies on voluntary cooperation from agencies and firms who believe they might have been hacked. "I worry that U.S. CERT appearing before this committee will have a chilling effect on their willingness to notify us," she said. "We especially need private companies to continue to work with government and to share information about cyberthreats and incidents so that through greater shared awareness we can all be more secure from those who to seek to do us harm."
Sally Holcomb, deputy chief Information officer, Central Security Service, National Security Agency
Tasked with protecting information systems that hold, perhaps, the world's most secret data. "You may have heard we had some leaking problems," she said in April, referring to ex-NSA contractor Edward Snowden's spilling of classified intelligence. Increasingly, the agency depends on the cloud for tighter security and, paradoxically, easier access. Metadata makes both possible, she said. Each piece of information is tagged with details on content and who can read it. "Having the ability to secure at the object layer is pretty exciting for us," she said at a cybersecurity summit organized by the Armed Forces Communications and Electronics Association. At the same time, NSA must also ensure the intelligence remains discoverable. A search "query has to result in 'Hey, you may or may not have authorization, but there is data here subject to your request' and then give a means for someone to go find it.”
Patricia Larsen, co-director of the National Insider Threat Task Force, Director of National Intelligence
Manages a growing team of leak-pluggers across government. Her mission is to guard government secrets and government staff from those who can't be trusted. "It’s a privilege to work in that program," she said last December at a forum hosted by Nextgov. "And the only reason that you are there is to help protect your colleagues, not to out them. So, we’ve got to professionalize that workforce of people who do this for a living. They have to view themselves as part of a community.” The specialists must undergo training on privacy protections, intelligence oversight and investigative procedures, should their suspicions bear truth. "It is also critical to remember the human element, and the expertise of clinical psychologists is crucial to inform insider threat analysis,” she said.
Catherine Lotrionte, director of the Cyber Project, Georgetown University
Leads a research initiative that explores the role of international and domestic laws in fighting cyber threats. Last fall, she illuminated one way the United States might be able to use the World Trade Organization to punish China for economic espionage. A provision in the 1995 Trade Related Aspects of Intellectual Property Rights Agreement deals with a country's obligation to protect undisclosed information. The clause "obliges each WTO member within its own jurisdiction -- to protect foreign companies' [undisclosed information], as they would protect their own companies' undisclosed information," she said. The snag is that cyberspace spans jurisdictions. But she pointed out a potential workaround. It is very possible the Chinese ultimately will file a cyberspying case against America with the WTO, she said. When that happens, the United States’ best move would be to “argue a defensive legal argument under our rights to counter what they are doing," she said. "That would force the panel at the WTO to bring clarity to what those obligations mean for protecting undisclosed information."
Angela McKay, director of cybersecurity policy and strategy, Microsoft
Coordinates with the private sector, customers and law enforcement to build confidence in each other and in the Web. "One of the things that as an industry we're really trying to grapple with is what should we be doing on behalf of users -- like automatic updates -- and what are the things that we want to inform users [of] to make good risk decisions” on their own, she said at a February cybersecurity symposium organized by New America. "That's something where the pendulum hasn't found a good equilibrium point." The software giant once was reluctant to push out automatic updates, "because there was some concern that Microsoft was being the big top-down antitrust” entity, she said, "but as we realized the security ecosystem was changing we realized we needed to help users in this space."
Katie Moussouris, chief policy officer, HackerOne
Widely recognized for founding Microsoft's "bug bounty" program that awards researchers with cash for reporting security holes they discover in the Seattle firm's software. Now at HackerOne, a San-Francisco-based company that organizes similar prize programs, she criticizes policies that treat bug-finders like criminals. A new presidential order authorizing sanctions against people complicit in exploiting software glitches could discourage analysts from warning about such vulnerabilities, she said. The policy's language should be tightened "to really reflect the intent, as opposed to increasing that fear among the security research community," she said during an interview. Even if not sanctioned, "there are several other pressures that researchers will face where their jobs are contacted, their careers are threatened, and all kinds of other things that are non-criminal prosecution but more like persecution." She rails against a current U.S. proposal to carry out an international arms agreement called the Wassenaar Arrangement that would control the international export of intrusion software. "The same offense techniques that are developed to bypass existing computer security measures are used in research to highlight weaknesses in order to fix the vulnerable software," she wrote in Wired last week. For spies, "no regulation will stop them. It is our job to collectively ensure that no regulation stops defenders."
Melinda Rogers, chief information security officer, Justice Department
Keeps information technology systems safe across the federal justice system. Her advice for organizations interested in surviving after a hack? “At the end of the day -- it’s knowing what is in your environment. It’s very easy to say, 'Oh, well it's an email system,' with email inside . . . but, that’s not the right answer," she said at an AFCEA symposium last December. "One most own [the data, by] knowing what’s in the data and then take proper precautions." Justice is updating acquisition guidance to make sure civil service employees understand that, when they work with vendors, encryption, contractor background investigations and other security controls must be carried out. When the inevitable data breach happens, damage control will hinge on "knowing what you have," she said.
Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications
Sees to it that Homeland Security serves as a "focal point for the security of cyberspace," per presidential directive. The cyber czar of DHS previously made a name for herself as McAfee's chief technology officer and chairman of the National Board of Directors of the FBI’s public-private InfraGard cybercrime program. Now, she works with critical sectors, like the power industry, to protect machines that increasingly are becoming accessible from the public Internet. Critical infrastructure systems are among the things in the so-called Internet of Things. These are the devices, in addition “to our refrigerators and toasters, that are connected," she said. Her “personnel are engaging cleared asset owners, the folks running and operating the water plants, the electric plants, the transportation to look through a classified briefing campaign and address the impacts of recent BlackEnergy” spyware that targets industrial control systems, she said at a May 6 meeting of the President’s National Security Telecommunications Advisory Committee.
Suzanne Spaulding, DHS undersecretary for the National Protection and Programs Directorate
Runs the DHS division tasked with defending U.S. infrastructure against cyber- and physical threats. Once a regular on Capitol Hill who worked for both Democrats and Republicans for over a quarter of a century, she is more concerned about nonpartisan matters these days. "I really do worry that in the next year or so will be the year of the destructive attacks," Spaulding said April 27, during an event organized by New York's Fordham Law School. "With the Sony incident, all of the attention was on the salacious emails and the theft of movies before they came out and far less attention was paid -- for reasons I'm not clear on -- on the destructive nature of that attack: that there was destructive malware deployed that destroyed computers and data irretrievably." She expects, no, she will put an end to further U.S. network sabotage. "Hope is not a plan. We have other plans," she said.
Up and comer: Shannon Praylow, senior officer, an intelligence community 24-hour watch center
Manages a team at an undisclosed government facility in the Washington area. The 34-year-old contractor for Maverick Cyber Defense has no college degree and had to work her way up, while training and attending boot camp in the Virginia Army National Guard. Now, the departments of Defense, Homeland Security, Justice and State are all on her resume, sometimes concurrently. Yet, the shards of the broken glass ceiling cut deep. "Right now I’m a team lead of 10 males," some of whom are upward of 45 years old, she said. "I deal a lot with name calling, talking behind my back. And I can’t let that bother me." A National Guard recruiter in 2001 first wanted to try her out as a truck driver: "I said, ‘No,’ turned around and walked out. Walked in a few months later, and he said, 'We do have this computer section, would you be interested?’”