Visionary Capability: Please describe in 6 to 10 sentences how you have demonstrated an understanding of and made contributions to the multi-disciplinary aspects of the Identity Ecosystem and the specific goals of the Strategy.
Over the course of my career I have had many opportunities to advance sound identity management practices in roles covering both the public and private sectors. My most recent work highlights my contribution and vision for the identity ecosystem and the NSTIC strategy.
Working with the state of Nevada to create our proposal for an NSTIC pilot grant has provided a unique opportunity for me to develop a detailed understanding of the NSTIC strategy, guiding principles, and supporting structures, such as the IESG. Nevada’s proposal envisions a collaborative initiative between public and private sector organizations to establish a comprehensive, interoperable, fully functional trust framework for online gaming. Our approach will satisfy the three major challenges, four guiding principles, 12 objectives, and overcome each barrier identified in the NSTIC strategy.
Should we be fortunate enough to be awarded a grant, our proposed program will serve to advance the interests of the state, the private sector stakeholder organizations, and fulfill the goals of the NSTIC strategy.
Team Effectiveness: Please describe in 6 to 10 sentences how you have demonstrated an ability to work effectively within the scope of a governing board.
As a former Chief Information Security Officer I have had the privilege of chairing security committees within two different organizations.
First, as the CISO for the State of Nevada, I had the responsibility to lead the State Information Security Committee, which was comprised of Information Security Officers representing various state agencies. Operating successfully in this role required effective communication and consensus building. Second, within International Game Technology (IGT), I led the formation of a Cyber-security Council, which was comprised of representatives across business units, as well as representatives from international locations. Establishing a security focused management body, where none had existed previously, required formalizing a concept of operations, soliciting sponsorship from key executives, and evangelizing the Council throughout the organization to generate support.
I believe that these same capabilities will be of value as a delegate to the IESG management council.
Outreach: Please describe in 6 to 10 sentences how you have demonstrated an ability to clearly communicate the actions of a management group to subsidiary groups in order to facilitate consensus building and support the work required to achieve results.
Outreach and consensus building are fundamental to a successful security program and I have had many opportunities to apply these skills over the course of my career. Two examples that I would cite are the outreach activities I performed while with Symantec and activities in conjunction with Nevada’s NSTIC pilot grant proposal.
While serving as the Director of Security Strategy and Programs for Symantec, I organized a series of CISO roundtable events to provide executive level briefings on the Aurora and Stuxnet attacks. This involved identifying target individuals, informing them of the purpose and value of the event, enrolling participants, and ensuring that the event met expectations for attendees.
My efforts in support of Nevada’s NSTIC proposal involved an outreach to potential program “stakeholders” including government entities, gaming industry organizations, and relevant identity and security technology companies. The results of this outreach effort garnered close to 20 letters of support for our proposed program from multiple industry Chief Executive Officers, the Chairman of the Nevada Gaming Control Board, Senator Harry Reid, and Governor Brian Sandoval.
Expertise: Please describe in 6 to 10 sentences the field of endeavor where you are recognized as an expert.
I am a recognized expert in the field of cyber-security.
My career spans over twenty-five years in information technology with majority spent focused on cyber-security disciplines. I have served in a variety of security related roles. I am the former Chief Information Security Officer for the State of Nevada, former Chief Security Officer for the Executive Office of Health and Human Services for the Commonwealth of Massachusetts, and former Director of IS Security and Internal Controls for International Game Technology. In a consulting capacity, independently and for both Ernst & Young and IBM, I have had the privilege of working with numerous Fortune 1000 organizations on a variety of programs and security initiatives.
My education credentials include a Bachelor of Science in Business Administration and Master of Science in Information Assurance. I also hold three internationally recognized security certifications: Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified in the Governance of Enterprise Information Technology (CGEIT).
Over the years, I have participated in and presented at a multitude of professional conferences, such as RSA, SANS, GMIS, and InfraGard.
Commitment: Please describe how much time per month and what effort you are willing to contribute to the role.
I will commit as much time as necessary to satisfy the demands of the role. I estimate between 20 – 25 hours per month focused on IESG activities, in addition to being available via e-mail or phone.
Breadth of Experience: Please describe in 6 to 10 sentences how you have demonstrated breadth of experience.
I have included several examples of projects that demonstrate the breadth of my experience in the Bio section.
Over the course of my career I have developed an unusually broad set of experiences, I have worked on projects around the world and across the US; I have served in advisory roles and management roles; I have worked in both the public and private sectors; and I have worked with large organizations and in entrepreneurial, startup companies; I have worked my way through a progression of IT roles from support desk through systems administration to solutions architect and on to management/executive roles.
I embrace new challenges and try to apply the lessons learned throughout my career to every endeavor.
Identity Management: Please describe in 6 to 10 sentences the contributions you have made to the identity management community.
While I have had a variety of experience with identity management initiatives within organizations, developing strategies, architecting and deploying technical solutions, and developing policies and standards, I have not had the opportunity to contribute to the broader identity management community.
However, one example of a contribution that might be considered applicable to the protection of personally identifiable information was my work on what is commonly referred to as SB227 “Nevada’s Encryption Law.” I served as a contributing author, providing technical subject –matter expertise and testimony supporting the passage of the modification to Nevada’s Breach Disclosure statute (NRS 603A) to include encryption requirements for the transmission of personally identifiable information.
To the best of my understanding, this law remains a unique example of providing an incentives based approach, through safe harbor provisions, to foster the application of good security practices, specifically encryption.
Board Experience: Please describe in 6 to 10 sentences how you have demonstrated the ability to effectively lead a significant organization or organization's board.
In addition to the previously noted examples of security committee leadership roles, I served as a designated member of the Nevada Technological Crimes Advisory Board.
As the representative of the Department of Information Technology, I participated in Board meetings providing a unique perspective as one of the Boards only cyber-security professionals. This allowed me to contribute a technical, cyber-security context to discussions that were inherently focused on law enforcement issues.
In my current role, I advise security, technology and business leaders on cyber-security issues, industry trends and innovative security methodologies. I have extensive experience developing and managing enterprise cyber-security programs, in both the public and private sectors having served as the Chief Information Security Officer for the State of Nevada, Director of IS Security and Internal Controls for International Game Technology (IGT), and most recently, as Director of Security Strategy & Programs for Symantec.
Representative projects relating to cyber-security and identity management include:
• As a Senior Manager with Ernst & Young, LLP, I led a team of subject matter experts to develop a Role-based Access Control (RBAC) security strategy for Deutsche Telekom. This strategy incorporated Tivoli's Security Management and User Administration technologies and was designed to support over 300,000 end-users. The strategy addressed the processes and technology capabilities necessary to provide user enrollment, role assignment, the full identity lifecycle, and operational administration.
• As a consultant with IBM, I led a project to support SOX compliance activities for Amerisource Bergen, specifically focused on the identity management functions. This project analyzed functional requirements, current capabilities, developed process models for the full identity management lifecycle, and developed supporting technologies.
• I designed and managed the IGT Certificate Authority, which provided certificate services for engineering development activities and internal IT systems. This included the ongoing management processes for the Hardware Security Module (HSM) and supporting infrastructure.
• In support of the IGT Research & Development Center Program in Beijing, China, I developed a detailed risk assessment, designed a comprehensive security architecture including biometric two-factor authentication, data loss prevention (DLP), network access control, and encryption. I received an official authorization from the People’s Republic of China to use AES256 encryption to protect sensitive intellectual property.
• I served as a contributing author, providing technical expertise and testimony supporting the passage of the modification to Nevada’s Breach Disclosure statute (NRS 603A) to include encryption requirements for the transmission of personally identifiable information. Commonly referred to as SB227 “Nevada’s Encryption Law.”
• I served as Program Manager and Solution Architect for Standard Chartered Bank’s Global IT Re-engineering Service Delivery Program. A $20 million program to redesign the IT service delivery functions for the bank to integrate ITIL standard processes.
I hold a Bachelor of Science in Business Administration from the University of Texas at Dallas and Master of Science in Information Assurance from Norwich University. I am a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CISM) and is Certified in the Governance of Enterprise Information Technology (CGEIT).
Statement: Please provide a statement so that voters can know who they are voting for and why they should support your nomination.
The NSTIC Strategy and Identity Ecosystem Steering Group represent a unique opportunity for State, Local, Tribal, and Territorial Government organizations to foster the development of an identity ecosystem. As one of the critical sources of validated identities in the physical world, states in particular are vital contributors to a robust ecosystem. In addition, all levels of government will benefit as participants in an effective identity ecosystem supporting e-government initiatives. The interests of State, Local, Tribal, and Territorial Government organizations must be represented in the pursuit of the NSTIC objectives.
As your representative on the management council, I am committed to the following three principles:
1. Inclusion – We must grow the membership within the State, Local, Tribal and Territorial Government Stakeholder category. Current representation is a good start, but clearly there are a number of entities that would benefit from participation in the IESG. I believe that we must facilitate the outreach to organizations that are not currently represented, communicate the benefits of participation, and grow the membership.
2. Collaboration – As a representative, it is critical to understand the interests of the stakeholders. We must work collaboratively to identify and develop positions on the issues that impact our respective organizations. I am committed to working in a collaborative manner to reach consensus, and promote the interests of the stakeholder community.
3. Contribution – With 14 stakeholder categories the IESG will have a variety of diverse interests represented on the management council. To be effective and represent the interests of the State, Local, Tribal and Territorial Government stakeholders will require active participation in the management council and IESG workgroups. I am committed to a meaningful contribution to the management council and IESG workgroups.
I believe that I can be an effective representative for the State, Local, Tribal, and Territorial Government stakeholder community. I am committed to the principles I have outlined and to making the Identity Ecosystem a reality and NSITC a successful endeavor. Thank you in advance for your consideration and support.