Blessed are the influencers for they will make a true difference – through policy, vision, drive, innovation and ideas – in the course of information security. What sets our selection apart is that they've held significant sway on the direction of IT security.
Richard Clarke, chairman, Good Harbor; author; former federal cybersecurity czar
Richard Clarke doesn't pull any punches about what he thinks of the state of cybersecurity today – or the people and institutions charged with handling it. At February's RSA Conference in San Francisco, Clarke took a jab at Edward Snowden (saying Snowden being called a whistleblower makes his blood boil). He also took on National Security Agency (NSA) critics in other countries; called for politicians and officials to up their cybersecurity game (it would be easier if they “learn about information and how it's collected”); and demanded guidance for the NSA (policymakers should clarify “what they want collected and not collected”).
But Clarke does more than use his words. He's widely known as a man of action, putting in 30 years in government as a diplomat in the State Department and in the Pentagon, as well as serving as a security guru to three presidents (Clinton, George W. Bush and Obama) before becoming CEO of Good Harbor Security Risk Management, a Washington, D.C.-based consultancy advising companies and governments on cybersecurity.
His work as a cybersecurity czar and adviser to presidents – his assessment of the latter is detailed in his book Against All Enemies – earned him a slot as an SC Magazine Industry Pioneer back in 2009. His continued efforts to strengthen cybersecurity and work with the Obama administration have clearly evolved Clarke into a widely recognised Influencer.
He drew the public into the debate with his 2010 book Cyber War: The Next Threat to National Security and What to Do About It. And his 300-page “Review Group on Intelligence and Communications Technology,” requested by President Obama, made 46 recommendations for tightening NSA security and improving transparency of U.S. surveillance activity.
James Lewis, senior fellow and director of the strategic technology programme, CSIS; professor, Johns Hopkins University
Admitting to a fascination with computers “back in the stone age” of computing, Lewis used mainframes “as an analytical tool in grad school and realised they had immense potential.” When he joined the State Department in the late 1980s, they were still “an alien presence.” But his programming skills didn't go unnoticed by Dick Clarke, then in the Politico-Military Bureau, who sent him to work at the NSA on an initiative that Lewis thought was “unworkable,” the Clipper chip and encryption policy.
He quickly changed assignments and by the time he left the State Department for another government agency, Commerce, he had two, what turned out to be lucrative, White House working groups in his portfolio – secure public networks and e-commerce.
“I found that policy on network security had advanced two inches in three years and decided to assign one of my deputies to cover it when the Director of Central Intelligence walked into an IWG and said, “I have the solution,'” says Lewis. “He didn't, but he broke the gridlock on thinking about how to secure the internet and I decided to stay. That was 1996.”
And the cybersecurity industry has felt his influence ever since. As a member of the U.S. Foreign Service and Senior Executive Service, he worked, among other things, on internet policy. During his tenure at the bipartisan, nonprofit Centre for Strategic and International Studies (CSIS), Lewis has testified numerous times before Congress on cybersecurity issue and served as the project director for the CSIS Commission on Cybersecurity for the 44th President, penning “Securing Cyberspace for the 44th Presidency,” the best-selling report that has informed U.S. policy and which has been recognised by President Obama.
But Lewis is not finished yet. “CSIS helped put cybersecurity on the map, but the current discussion just repeats things from five years ago,” he says. “I want new ideas on how the U.S. secures infrastructure without economic harm, how countries cooperate in cyberspace, and how countries adjust to the convergence of privacy, internet governance and cybersecurity.” To that end, CSIS is starting a new cyber institute and has projects underway “on the internet of things, information sharing, military use, and governance.”
The internet, Lewis contends, will be very different in five or 10 years. “I want to identify trends, issues, and policies that let us get the full benefit of networked computing – the potential I saw in my TRS-80 three decades ago,” he says.
Kevin Mandia, SVP and COO, FireEye
Selling Mandiant, the firm he founded in 2004, for more than $1 billion dollars to FireEye, where he became COO, hardly dimmed Kevin Mandia's opinions or influence.
By the time the sale went through, Mandia had already become a celebrity of sorts after Mandiant published a report that revealed that China had stolen U.S. trade secrets. Mandiant named the Chinese military unit APT1 – it also has been dubbed the Comment Crew – because it is only one of dozens of advanced persistent threat (APT) groups with China-based operations that the firm tracks.
The report, released in February 2013, chronicled Mandiant's tracking of IP addresses, network communication and attack characteristics to trace the unit's central hub to a 12-story facility in Shanghai. The firm also discovered that the majority of the 709 unique IP addresses hosting APT1 command-and-control servers were registered in China.
Expecting blowback from the security industry, the company stated in the report that it was “acutely aware of the risk this report poses for us. We expect reprisals from China, as well as an onslaught of criticism.” And the critics weighed in quickly.
Less than a year later, Mandia inked the deal with FireEye. In an interview with Fortune magazine, Mandia indicated that the two companies were a perfect fit – with FireEye known for its detection prowess and Mandiant focused on quick resolution.
With more than 20 years in the information security industry, Mandia has pushed into the forefront of security – for 15 of those years lending his expertise to companies grappling with security breaches. He is the go-to guy for media and others seeking commentary on security issues.
Daniel Nutkis, founder and CEO, HITRUST Alliance
As national director of health care emerging technologies for Ernst & Young in the 1990s, Nutkis was on the ground floor as organisations started “leveraging the Internet and Internet-derived technologies” as part of their “short- and long-term information technology strategy.” What quickly became apparent was that, in addition to opportunities, the internet opened the door to potential threats and risks “that we were not prepared to address on many levels,” Nutkis said.
After founding the HITRUST Alliance in 2007, Nutkis got a bird's-eye view of the issues. “Back then, getting individuals and organisations to dedicate the time and resources to information security was difficult,” he says, “especially when the suggestion was to establish a framework that would apply to the entire industry; incorporate relevant and existing standards, regulations, and best practices; and be scalable, prescriptive, risk based, and certifiable.”
But establish a framework he did, working with like-minded thought leaders who “were willing to make the commitment to help us achieve our goals.” Now, seven years later, the health care industry has embraced and widely adopted the HITRUST Common Security Framework, which has undergone “substantial updates,” he notes. Among them, incorporating and establishing health care-specific guidance for the NIST Cyber Security Framework. The framework is used as the bones of the CyberRX threat simulation exercises, coordinated with the Department of Health and Human Services, to evaluate the cyber preparedness and response of private and public health care organisations. HITRUST recently released a playbook for CyberRX 2.0, which expanded on the simulation exercises of the inaugural programme.
Going forward, Nutkis is training HITRUST's focus on integrating and aligning its programmes “to maximise their value [to ensure] that organisations across all stages of information security maturity can benefit from them.” He acknowledges that will be a challenge in what is a “large, diverse and complex” industry. If the past is any indication, though, it is one that Nutkis will ably rise to meet.
Howard Schmidt, partner, Ridge-Schmidt Cyber LLC
It's tempting to put Howard Schmidt among the SC Magazine UK Pioneers. Forty years spent in defence, law enforcement and corporate security certainly qualify him.
But Schmidt has not simply gotten there first – he's continued to whisper to government, private industry, law enforcement authorities and even the president, where as cybersecurity coordinator and special assistant to the president he coordinated “interagency cybersecurity policy development and implementation” as well as engagement with federal, state, local, international, and private sector cybersecurity partners,” whitehouse.gov says.
His 26 years of military service – in the Air Force, the Arizona Air National Guard and the Army Reserve – and his career as CISO or CSO at firms like Microsoft and eBay, as well as his experience as a police officer in Chandler, Ariz., have uniquely qualified him as a security expert – and proven without a doubt that he can adeptly juggle many responsibilities.
Schmidt has served as president and CEO of the Information Security Forum, is the former chief security strategist for the US-CERT Partners Programme at DHS, and is the executive director of the Software Assurance Forum for Excellence in Code (SAFECode). In his current role at Ridge-Schmidt Cyber, he has partnered with Tom Ridge, the country's first Secretary of Homeland Security, to guide business and government leaders through the cybersecurity landscape.