Top of Page
 

Board Elections

You Control the Future

(ISC)² Board ElectionsThe (ISC)² Board Election is conducted over the course of two weeks each year. All members in good standing as of the date specified in the notice may vote in the election. The Board puts forth several recommended candidates each year, and members in good standing as of the date specified may petition to have their names added to the ballot.

Congratulations to our four winners, and thank you to all who participated!

  • Biljana Cerin, CISSP, Croatia
  • Tony Cole, CISSP, SSCP, U.S.A.
  • Earl Crane, CISSP, U.S.A.
  • Tiffany Jones, CISSP, U.S.A.

Board Slate

  • Board Slate Winners

    Biljana Cerin, CISSP
    Country/Region:
    Croatia
    (ISC)² Certified Since: 2013
    LinkedIn: https://www.linkedin.com/in/biljanacerin

    Experience in Business Strategy

    I am director of Ostendo Consulting, a company founded 2011 in London, UK and Zagreb, Croatia, where I am responsible for providing information security and risk management, IT governance, audit and compliance related services for clients operating in complex, highly regulated environments. I have 17+ years’ experience in leading many successful projects in financial, telecommunication, government, oil and gas, energy, biotechnology, higher education and IT services sectors worldwide. My primary focus is taking responsibility for the smooth execution of consulting projects and services, ensuring high quality of services delivery, achievement of visible results and exceeding of stakeholders’ expectations. I am closely liaising with CEOs, CIOs, CISOs and responsible board members in deciding how to most efficiently incorporate good information security and risk management practices in accordance with the business, legal and regulatory requirements (such as EU GDPR, HIPAA, EU GMP Annex 11, PCI DSS, ISO 27001), while leveraging existing resources, processes and technologies. Besides taking responsibility for consulting business development, my team has invested its experience, expertise and funds into an innovative solution for electronic delivery of payment card PINs, which was selected by UBS, the leading Swiss bank, as one of the regional finalists of the global Fintech “Future of Finance Challenge”. The competition involved over 700 FinTech companies worldwide. This is now PINswift, operating as an Ostendo Consulting's brand specialized for Fintech solutions. Before starting Ostendo Consulting, I was manager of the Business Applications business unit at leading European IT services and solutions provider, S&T, and business development manager responsible for growing its Governance, Risk and Compliance services. I won the “S&T Extra Mile Award” as a recognition for my professional achievements.


    Education


    I earned my Master of Computing from the Faculty of Electrical Engineering and Computing, Zagreb, Croatia. I’m currently enrolled in PhD studies at the faculty of organization and informatics in Croatia, with major in information risk management. Besides CISSP, I hold CISA, CISM, CGEIT, CBCP, PMP professional certifications and ISO 27001 and 9001 Lead Auditor certificates.


    Industry Board Experience

    I have served as president of the (ISC)² Croatia Chapter since November 2014 Since its formation, the chapter has experienced rapid growth and recognition in the Croatian information security community, as well as in surrounding countries. Besides serving as chapter president, I am also a member of (ISC)² Scholarship Committee and (ISC)² Chapter Governance Committee. I have participated in the following industry organizations and initiatives: ISACA EuroCACS/ISRM 2013 London Conference Program Task Force, ISACA EuroCACS/ISRM 2012 Munich Conference Program Task Force and ISACA ISRM North America and Europe 2011 Conference Program Task Force, where I contributed to the speakers’ selection and program development. In HZN-Croatian Standardization Body, as a member of international standards adoption working group, I initialized and justified the reasons for the prioritized adoption of the ISO 27001 and 27002 international standards as Croatian standards. As a founder of the InfoSeCon association Croatia, I organized the first international information security conference in Croatia, InfoSeCon, which brought together over 30 of the most recognized industry experts as independent speakers and over 200 attendees to share top-notch knowledge with the Croatian information security community.


    Skills & Expertise

    I have strong expertise in making connections between the professional information security community and organizations that I believe can support its growth and recognition, such as Chambers of Commerce, leading universities, embassies and other professional bodies which (ISC)² can benefit from cooperating with. I have established good connections with leading regional media and am able to clearly formulate messages that are important for gaining stronger recognition in the community, while also ensuring we as professionals give back to the people we live and work with. My colleagues often describe me as a positive, proactive person with a strong ability to motivate others in achieving set objectives.


    Goals & Objectives

    I would like to lead (ISC)² initiatives in having a stronger presence outside the information security community, since I believe knowing and understanding people coming from other professional fields is important for successful growth of our field as well. Most specifically, I would like to see greater involvement of (ISC)² with young people at the moment when they choose their career path, at the end of high school or at first university years. We all experience a lack of professionals in this important field, and I believe that with right strategy and initiatives, we can make young people recognize the beauty of our profession and see themselves as part of it, especially for women, as they are often hesitant to enter the field. One important part of my efforts will be to emphasize the importance of having more women in information security and bringing this profession closer to them. As a result of my initiatives in this domain, in 2016, I was included in the list of the Top 50 Women in ICT in Croatia. I believe there is much more that can be done in this field, such as mentoring and encouraging women’s presence as speakers at professional events.


    (ISC)² Strategic Contributions

    I would like to see (ISC)² communicate more outside the community, having a stronger presence in the media, and cooperate more with universities and high schools. I also would like to see greater formal involvement of (ISC)² in creating the new regulations in our fields, since we can as professionals often recognize the lack of professional expertise and input in development of these regulations, which sometimes makes information security be perceived as an obstacle to business, while it is actually a business enabler if understood and presented well. Often this negative perception comes from inadequately formed compliance requirements in various regulations. This is where I think we can achieve more.


    Regional & Cultural Perspectives

    I come from a part of the world known for its rich and complicated history - Croatia and surrounding countries - and these historical events resulted in very specific cultural perspectives. From my work on projects worldwide, I also get to experience a number of different cultures, and am often in a position to have professionals from different cultural backgrounds work together. I believe the experience I’ve gained from working in such an interesting environment can help (ISC)² more easily communicate its messages, as well as enable professionals coming from various cultures to better communicate with each other. A very important part of our professional work comes down to good communication mechanisms and then can easily be influenced by regional specifics and sometimes challenges, which I can help successfully overcome in communicating the (ISC)² messages and initiatives and hence, enable the further growth of (ISC)² community.


    Professional Recognition

    • Selected in “Top 50 Women in ICT in Croatia” in 2016
    • Founder and President of (ISC)² Croatia Chapter in 2014.-today
    • ISACA EuroCACS/ISRM conferences Program Task Force Member in 2011, 2012, and 2013
    • S&T Extra Mile Award winner in 2009
    Published scientific and professional papers:
    • MIPRO 2013 – “IT governance, audit and project management in public and state administration”
    • MIPRO 2012 – “Managing risks of IT projects in public and state administration”
    • MIPRO 2009 – “Tributaries of the Information security measures directive and ISO 27001”
    • MIPRO 2006 – “Assessing and managing information security risks”
    • MIPRO 2005 – “Managing information security in business environment”
    • MIPRO 2004 – “Implementing an Information Security Management System”
    • (MIPRO is international convention on information and communication technology, electronics and microelectronics held in Croatia for over 35 years) 
    Selected lectures held at professional events:
    • CyberRisk Conference Croatia, 2016: “Cyber risk insurance”
    • EuroCACS/ISRM Barcelona, 2014: “Managing information security for generation Z-ers”
    • IDC Adriatics Expo, Croatia, 2014: “Manage security risks to speed up your business”
    • Infosek, 2013: “New ISO 27001 is on the stage – are you ready for the transition?”
    • EuroCACS/ISRM London, 2013: “Assurance forum – assurance professionals’ challenges—are we quick enough and how far can we go?"
    • EuroCACS/ISRM London, 2013: “Formal ISO 27001 certification – gains vs. losses”
    • EuroCACS/ISRM Munich, 2012: “KISS principle for information security, compliance and risk management in complex environments”
    • EuroCACS/ISRM Munich, 2012: “Moving forward with technology”
    • The IIA Croatian branch, 2011: “ERM and GRC approaches to risk management”
    • PMI Project Management Institute, 2009.: Information security and business continuity management projects – why the crisis does (not) help them?“
    • IDC IT Security and Storage Road Show 2008.: "Case study: ISO 27001 implementation at Privredna Banka Zagreb"
    • IDC Security Road Show 2006.: “ISO 27001/27002 standards: How to effectively implement them into your organization and get certified?"
    • Microsoft Security Days 2005.: “How to build an effective information security team?"
    Information Security Experience

    I am passionate about designing and establishing efficient information security risk assessment and management processes, which are fully supported across the organization, therefore enabling timely identification and communication of information security risks in order to make informed and cost efficient decisions on how to mitigate them. I designed such processes for leading organizations in healthcare, biotech, government, oil and gas, energy, telecom and financial industry organizations in Europe and the U.S. I establish business-aligned security control frameworks to handle overwhelming compliance requirements (EU GDPR, HIPAA, EU Annex 11, PCI DSS, MICS, SOX, ISO 27001...) by making sure existing internal resources, tools, policies and processes are utilized as much as possible, instead of building parallel systems just in order to "comply". "Security as a business enabler" is my motto and the objective I strive towards in performing everyday business activities.


    Leadership/Management Experience

    I have served as president of the (ISC)² Croatia Chapter since November 2014 Since its formation, the chapter has experienced rapid growth and recognition in the Croatian information security community, as well as in surrounding countries. I am a business director of Ostendo Consulting, where I am responsible for the constant business growth and acquiring of the right talent able to provide sophisticated services to the most demanding clients. I am founder of InfoSeCon, the first independent association of information security professionals in Croatia, and also organizer of InfoSeCon 2005 and 2006 international conferences, which attracted the most recognized industry experts at the time to share the top-notch knowledge with young Croatian information security community. In S&T, the leading European IT services and solution provider, I was a business unit manager and business development manager. Previously, I was consultancy manager at Croatian Quality Superintending Company, and information security projects manager for a highly specialized team of information security consultants and researchers at the Faculty of Electrical Engineering and Computing in Zagreb, Croatia.


    Volunteer Experience

    Besides serving as a chapter president, I am also a member of (ISC)² Scholarship Committees, (ISC)² Chapter Governance Committee, and I have participated in the following industry organizations and initiatives: ISACA EuroCACS/ISRM ConferenceS Program Task Force, HZN Croatian Standardization Body’s ISO 27001 international standards adoption working group and InfoSeCon association Croatia.

    Tony Cole CISSP, SSCP
    Country/Region: USA
    (ISC)² Certified Since: 2000
    Twitter: @nohackn  | LinkedIn: www.linkedin.com/in/wmtonycole

    Experience in Business Strategy

    I have a deep level of expertise in business strategy, initially from government work and honed over a fifteen-year career in the commercial world after my military retirement. I built many different successful product and service offerings at two of the world's largest cybersecurity companies. I ran two government consulting practices, one utilized across the globe and quite often brought into commercial accounts for our expertise. I recruited to, and consulted on Wall St around cybersecurity technology companies and where they were likely going from a product perspective. I was a strategist and advisor for Secure Elements on their Advisory Board to help build their vision prior to their sale to Fortinet. I was cyber business strategist advising numerous government agencies and companies around the globe on cybersecurity investments, processes, architecture and policy. I was appointed to the FCC CSRIC-V council by the FCC commissioner, to the NASA NAC Institutional Committee by the NASA administrator and to the President’s NSTAC Subcommittee on the Security of IoT Devices under President Obama. I’m currently an independent director on Silent Circle's board of directors and was recruited to help with strategy.

    Education

    B.S. in Computer Networking, Strayer University, Summa cum Laude. Current certifications are the CISSP and SSCP. Previous certifications include the FoundStone Corporation’s- Ultimate Hacking Course, Carnegie Mellon University Computer Incident Handlers Course. Also, certified as a Level III Vulnerability Assessment tech under the U.S. Army. Numerous commercial and military courses in Leadership and Technology. Certified by Blue Streak Communications in media training for executives.


    Industry Board Experience

    As a member of the Advisory Board for Secure Elements, I helped to drive successful growth leading to an acquisition by Fortinet. I was recruited by Silent Circle as an independent director to help them expand and move into the enterprise software world. I am a founding member of the not-for-profit WhiteHat USA Gala charity organization benefitting Children's National Medical Center, which has raised over $1.4 million dollars to date. I’ve been on the board of the ISSA-DC Chapter for seven years, culminating as president for the last two years. I built out membership and activities across the chapter. I’ve also briefed numerous boards around the globe on cybersecurity issues and the risks they pose.


    Skills & Expertise


    I’m a well-known leader and mentor in the cyber security space. I have a deep level of expertise in the cyber domain, covering a multitude of areas, including services, products, architecture development, policies, risk, people development and much more. I’m able to take low-performing teams, products or organizations and redevelop them into a cohesive and over-achieving unit. I have tackled problem areas in government and the commercial world and helped turn things around in many challenging areas. I have a deep understanding of cultures around the globe at the senior executive level in industry and government. I possess great speaking skills, refined through decades of briefing at the cabinet, congressional, minister, boards and CEO levels, and through speaking at a multitude of conferences often at the keynote level around the globe.


    Goals & Objectives

    I'm interested in serving on the (ISC)² Board of Directors because I think I could help further elevate the organization as the provider of the recognized certification of the cyber professional around the globe. From there, we could build a comprehensive system where it was recognized internationally as a requirement for certain positions of trust in our profession. Although the (ISC)2 certifications are widely known and respected today, the requirement for a true cybersecurity expert is still somewhat vague and varies from nation to nation and recruiter to recruiter looking to hire cyber experts.


    (ISC)² Strategic Contributions

    Additional thought leadership from the (ISC)² Board of Directors in areas that showcase a forward leaning organization thinking about the future enablement of the cybersecurity certified expert. This should be independent of vendor bias and completely focused on creating a higher playing field for the holders of the CISSP and associated certifications. One area to tackle right away is ensuring the right requirements are in place to weed out those without operational experience in the field seeking the certification. We need to raise the level of the CISSP to where it’s highly respected by all.


    Regional & Cultural Perspectives

    I've lived in Asia, Central America, across the United States in various places and in Europe for six years. I've traveled the globe working on cybersecurity issues (including Africa) in numerous jobs and currently travel extensively to speak and provide strategic services focused on cybersecurity. I have a pretty solid understanding of most cultures and have worked and lived in many of them. I’m quite comfortable in most major cities around the globe and have worked on cybersecurity issues in the majority of them. The type of travel I’ve done and the interactions I’ve had with the people I’ve met around the globe have given me what I hope is a broader perspective than most people in our industry. I believe it also allows me to connect with and understand diverse requirements from different regions.


    Professional Recognition

    I was recognized by my peers through my selection as Government Computer News IT Industry Executive of the Year award for 2014. In 2015, I was inducted into the Wash100 by Executive Mosaic as one of the most influential executives in cyber. In 2016, I was an awardee for Trending 40 Cyber Innovators and Entrepreneurs. I was selected for Symantec’s Horizon Award for Excellence in Leadership. I was given the Bronze Order of Mercury for lifetime contributions to the U.S. Army Signal Regiment. I was given numerous military awards over a twenty-year Army career, including four Meritorious Service Medals.

    A few interviews and publications:

    Information Security Experience

    I spent twenty years in the Army, and was one of the first in cyber helping to build and run the Army CERT, the Army Regional CERT-Korea, the Network Security Services-Pentagon (NSS-P), which included PENT-CIRT, SOC, V/A, Sec Engineering, etc. I built networks around the globe for the Department of Defense, and have advised numerous companies and agencies on cyber around the globe in the last fifteen years. I ran two large consulting practices focused on cyber for two of the largest cybersecurity companies in the world. I was recruited for my expertise by the U.S. FCC, NASA, DHS, Banks, Wall Street and many others as an advisor on cybersecurity strategy and trends.


    Leadership/Management Experience

    I have led numerous teams from initially a small eight-man team to one with a couple of hundred people, including numerous subcontractors. I’ve rebuilt teams that weren’t functioning up to their potential by finding the great performers inside the organization and promoting from within, along with bringing in additional expertise, cutting low performing products and services, adding a focus on people and lowering attrition. I have succeeded by continuously hitting targets and ensuring the entire team shared in the reward. I’ve continuously increased customer satisfaction with services by ensuring our consultants were well trained, enabled and ready to deliver. I've been a mentor to literally more people than I can count as they looked to the future for potential paths of their own careers.


    Volunteer Experience

    I have participated in the WhiteHat USA Gala, a charity benefiting Children's National Medical Center where they do over $50 million dollar’s worth of surgeries for children in need. I’m a fellow at the Aspen Institute, which helps to make the world a more civil place. I’m a supporter of Good Shephard charity in my own neighborhood, helping those in their time of need. As an Army retiree and fellow disabled vet, I support the DAV(.org) program as well. They have help many disabled veterans that can’t help themselves. My family and I believe strongly in giving back.

    Earl Crane, CISSP
    Country/Region:
    USA
    (ISC)² Certified Since: 2004
    Twitter: @mystie3k | LinkedIn: https://www.linkedin.com/in/earlcrane

    Experience in Business Strategy

    Dr. Earl Crane is the founder and the chief executive officer of Emergent Network Defense, Inc. (Emergent). Dr. Crane has advised the President of the United States, Wall Street executives and multiple Fortune 100 corporations on their cyber defensive strategies. From 2009 – 2011, Dr. Crane led the implementation of the Department of Homeland Security’s information security strategy. As the Director of the Cybersecurity Strategy Division, he supervised the staff charged with creating and implementing the DHS enterprise-wide security risk-management strategy, and led the development of DHS security architecture, policies and procedures to address issues including intrusion detection and response security operations, threat intelligence, cloud computing security and data-loss prevention. As a member of the President’s National Security Council staff from 2011 to 2013, he was the lead for federal cybersecurity policy and oversight for the Cybersecurity Coordinator, responsible for aligning and responding to shifting cybersecurity threats and vulnerabilities. He led multiple coordination efforts with senior government leaders across domains to provide direction, streamline processes, and reduce burdens across the federal government.

     

    Education 

    Education:

    • BS, Mechanical Engineering – 2000 – Carnegie Mellon University Masters
    • MISM, Information Security – 2001 – Carnegie Mellon University – Graduation Summa Cum Laude (Highest Honors)
    • PhD, Engineering Management, Information Security – 2013 – The George Washington University
    • Tau Beta Pi (Engineering Honor Society)

    Certifications:

    • Certified Information Security Manager (CISM) – ISACA License 0606289 Date: Nov 2006 – Jan 2018
    • Certified Information Systems Security Professional (CISSP) – (ISC)² License 55226 Date: Jan 2004 – Jan 2018
    • Certified in the Governance of Enterprise IT (CGEIT) – ISACA License 0901526 Date: Jan 2009 – Jan 2018

     

    Industry Board Experience

    As director at Promontory Financial Group, Dr. Crane regularly briefed board members and executives at multiple well-known firms on cybersecurity risks and risk management. He has spoken multiple times on cybersecurity and risk management to boards and executives through the National Association of Corporate Directors (NACD). These programs educate board directors on current and emerging cybersecurity risks and mitigation strategies. He understands the roles and responsibilities of board members to help navigate the organization’s goals of creating and implementing effective, ethical and legal governance and financial management strategy, and to ensure that the organization has adequate resources to instrument proposed policies.

     

    Skills & Expertise

    Federal Government Insight: As director on the White House NSC, Dr. Crane served as an advisor to the President of the United States and was responsible for creation and oversight of intergovernmental cybersecurity policy. In this capacity, he worked with all federal agency CISOs to understand their unique mission requirements, and enabled policies and support for a proactive defense program. This included coordination with senior leadership across multiple federal executive branch departments and multiple White House offices. He led multiple interagency working groups and advisory boards focused on improving cybersecurity government-wide. Dr. Crane’s role at DHS and the White House provides him with extensive experience in policy and strategy development and implementation, from information sharing programs across public-private partner relationships, including members of federal government, industry participants and financial sector institutions. One of the persistent challenges facing federal agency CIOs is the lack of resources and leadership support for cybersecurity. Dr. Crane addressed this challenge by shifting the visibility for cybersecurity performance to the performance improvement officer (PIO) and deputy secretary or deputy administrator of the agency. He did this through focusing on cybersecurity performance metrics and measurement, incorporating context and eliminating jargon, to focus on agency mission impact.

    Financial Industry Expertise: Dr. Crane has wide-ranging experience applying various policies, guidelines, rules and regulations from federal and financial sector regulatory bodies to current sector industry organizations. He has extensive experience with the FFIEC IT security handbook, various FFIEC, OCC, FDIC and FRB information security requirements. He also has experience with emerging requirements under EO13636 and the NIST cybersecurity framework.

    Executive Cybersecurity Education: Dr. Crane is on the faculty at Carnegie Mellon, including an instructor at the CISO Institute for executive management, and Heinz College for cybersecurity public policy. His students are regularly CISOs for large commercial institutions, where they discuss the latest cyber defense capabilities and technologies.

    Strategy and Planning: One of Dr. Crane’s primary roles as the director for cybersecurity strategy at DHS was to stay abreast of emerging technology and cybersecurity challenges, and to build a strategy to position the department to address these challenges. His background as the chief information security architect for the Department of Homeland Security provides expertise in architecting and developing defensive strategies for large-scale enterprise systems. His expertise was further extended working with many of the top 20 banking institutions and Fortune 50 companies providing the same service.

    Future Vision of Cyber Risk: Dr. Crane identified the power of cloud computing as a game changer, and following the draft release of the social media guidelines in May 2009, he pulled together another interagency group to focus on cloud security. As the co-chair of the Network and Infrastructure Security Sub-Committee of the Federal CIO Council, he organized an interagency team to develop the first federal-wide “Guidelines for the Secure Use of Cloud Computing by Federal Departments and Agencies.” NIST Cloud Security guidelines and the FedRAMP program incorporated elements of these guidelines, and he was a senior advisor to the federal CIO on cloud security, attending weekly cloud meetings at the White House. Dr. Crane received the Federal 100 award from Federal Computer Week in March 2010 for my work in cloud security.


    Goals & Objectives

     Dr. Crane has a passion for cybersecurity, and is thankful for his almost 20 years in the field, which has included a successful information security startup, government cybersecurity and cybersecurity education as both a student and professor. Dr. Crane is interested in giving back, to help build the next generation of cybersecurity professionals through certification, education, training and road mapping to identify critical skills for future security and prosperity. He would like to bring the same emphasis to (ISC)2 that he has brought to Carnegie Mellon through advisory sessions with university leadership – how do we continue to prepare the cybersecurity leaders of tomorrow? To identify the tools and talents necessary for cyber leaders throughout their career progression, from entry level to CISO and beyond – and to be able to deliver on these needs.


    (ISC)² Strategic Contributions

    One of the most challenging elements of this field is the use of data to drive change. Cybersecurity risk management is a continually evolving field. As a board member, Dr. Crane would like to emphasize three key areas: career development, education and membership.

    Career development: Dr. Crane is interested in career path progression and training programs, as they are critical for the development of the field. This includes early engagement with professionals through trainer and mentoring programs.

    Education: Dr. Crane is interested in cyber education, from some of the earliest K-12 cyber education programs, through cyber competitions, college programs and beyond. He would like to see continued improvement of cyber education based on standards like the NIST National Initiative for Cybersecurity Education (NICE).

    Membership: Finally, an organization is only as strong as its members – and membership grows through value creation and community for (ISC)2 members around the world. Continued outreach to determine what (ISC)2 members find most useful and need the most from (ISC)2. Dr. Crane’s goal is to contribute innovative solutions and ideas to (ISC)2’s outreaching capabilities for the information security community.

    Regional & Cultural Perspectives

    As the director of the cybersecurity strategy division at the Department of Homeland Security, Dr. Crane faced the challenge of building a new team comprised of diverse staff transferred from other regions and teams, in addition to identifying new division needs and seeking out those with special skill sets. He dedicated himself to building a diverse team across a multiple racial, ethnic, religious, gender, age and education backgrounds, where he focused on an individual’s unique capabilities, contributions and needs to create a highly effective team. For example, Dr. Crane quickly identified the need for DHS to develop a robust cybersecurity knowledge management capability to manage the large amounts of cybersecurity data and information. Experts are hard to find in this highly specialized field, but he identified a brilliant individual with two PhDs focusing in knowledge management and cybersecurity. Though he was currently in a comfortable job with academia and operating a data center, Dr. Crane attracted him to his team as an opportunity to implement his theories on a large scale. Dr. Crane also recognized that to implement the DHS cybersecurity strategy, the strategy must be communicated effectively. One of Dr. Crane’s strategic communication programs led a department-wide collaboration initiative, and developed two annual “State of DHS Cybersecurity” reports. He also personally engaged across the diverse set of DHS regional offices, travelling locally to embed with national and international teams, including San Diego/Tijuana MEX, El Paso/Juarez MEX, Puget Sound/Vancouver CAN and Newfoundland CAN. As a result, the strategic communication team won the 2011 (ISC)² Government Information Security Leadership Team Award. The team was one of the most diverse within the OCIO organization, representing an audience of 240,000 employees. At the time of Dr. Crane’s departure, almost every member of the team had returned to school part-time for a higher education degree (Bachelor, Master or Doctorate). Additionally, since his departure, every member of the team has remained with the DHS CIO, a level of retention that is difficult in a competitive cybersecurity environment. Finally, prior to Dr. Crane’s government service, as a security consultant with Foundstone, he worked closely with clients and taught classes around the world, including London, Barcelona, Tokyo and Panama City.


    Professional Recognition

    Selected Recognition:

    • Senior Cybersecurity Fellow - The Robert S. Strauss Center for International Security and Law
    • Carnegie Mellon Heinz College Distinguished Alumni Award – Oct 2014
    • Letter of Commendation, Executive Office of the President of the United States
    • Executive Leadership in Cyber Security – Jun 2011 – Association for Federal Information Resources Management (AFFIRM)
    • Federal 100 – Mar 2010 – Federal Computer Week - http://fcw.com/articles/2010/03/22/federal-100-crane-earl.aspx
    • Government Information Security Leadership Award, (Strategy Communication Team), (ISC)² Selected 

    Publications:

    Selected Speaking Engagements:

    • RSA Conference
    • SXSW Security & Privacy Finalist
    • ACT-IAC Executive Management Series
    • Government Technology Research Alliance (GTRA)
    • AFCEA Keynote Speaker
    • International Monetary Fund
    • Symantec Government Symposium
    • ISC² Government
    • Information Systems Security Association (ISSA)
    • Information Security and Privacy Advisory Board (ISPAB)
    • Interview: "The importance of personnel to national cybersecurity" - Government Matters TV http://govmatters.tv/the-importance-of-personnel-to-national-cybersecurity/

    Information Security Experience

    One of my most unique information security experiences has been the requirement to cross boundaries from the most technical to the highest policy level. I was the only member of the national security staff able to both clearly explain how a botnet operated, how a DDOS attack was performed, the strategic and policy solutions we could put in place to help address these issues on a management, operational, AND technology level. This comes from my background of four years of penetration testing, remediation, and forensics with Foundstone, and later my executive experience with DHS. I developed the first DHS SOC CONOPS providing the vision, leadership and guidance for the initial operations of a “world-class” Security Operations Center. The DHS SOC now operates as the front-line defense for DHS IT systems to secure and enable mission readiness for the department. This and other experiences gave me insight to help with policy formulations such as Executive Order 13587, to address and re mediate vulnerabilities that resulted in the Wikileaks incident (as the technical principle for DHS), and later Edward Snowden (as the policy director).


    Leadership/Management Experience

    At Emergent we have put together a strong, highly experienced team of cybersecurity professionals where we have developed a truly unique and innovative solution to combat today’s evolving enterprise digital risks. My greatest accomplishment at Emergent so far has been the discovery and successful alignment of individual’s hidden talents to best be used within an emerging organization. As the first Chief Information Security Architect and later the first Director for Cybersecurity Strategy at the US Department of Homeland Security, I had the responsibility to build a defensible infrastructure and architecture to combine 23 disparate agencies representing 240,000 employees into a single enterprise. I developed policies, procedures, tactical guides, training programs, and architectural documents for promulgation throughout the homeland security enterprise. I facilitated the DHS CISO Council and led the coordination effort among nine other DHS Component CISOs. I worked closely with the DHS Chief Privacy Officer for cyber defense programs, FOIA requests, and implementation of privacy and security best practices. Later, as the first Director for Federal Cybersecurity Policy on the White House National Security Council staff, I was the sole advisor to the President of the United States and to to the National Cybersecurity Coordinator on federal cybersecurity issues. I advised two Federal Chief Information Officers (CIO) on their cybersecurity programs, from cloud security to classified system defense. In this program I built a number of cybersecurity risk management programs, including leading the federal cybersecurity metrics program (CyberSTAT) which measured and drove operational improvements in federal cyber defense. I established the minimum standards for cybersecurity reporting among federal agencies, and monitored for their improvement and compliance against defined metrics. My experience is not limited only to government. As a practitioner in higher learning for almost twenty years, I have worked closely with Carnegie Mellon leadership on cybersecurity program development and delivery. This includes within the classroom as an adjunct professor for masters and professional students, at the facilities level for establishing infrastructure for classroom delivery, and at the administration level for curriculum program development and delivery. I helped to develop the initial program for Carnegie Mellon’s Chief Information Security Officer (CISO) Certificate Program, and I teach the program’s Enterprise Security Governance day.

     



    Volunteer Experience

    I have served and continue to serve in support roles in various civic, academic and social organizations. Some examples include: Carnegie Mellon Admissions Council (CMAC) – volunteer to meet with prospective students to answer questions and provide my assessment to admissions. MD5 Mentor at austinhack.md5.net/home – continued collaboration to help other security startups bring their ideas to market to support humanitarian relief and disaster response. Various volunteer activities in my local church and children’s school.

    Tiffany Jones CISSP
    Country/Region:
    USA
    (ISC)² Certified Since: 2013
    LinkedIn: https://www.linkedin.com/in/tiffany-jones-cissp-cipp-8b7315/


    Experience in Business Strategy

    I have the opportunity to manage as an Executive officer and Commanding Officer units/ships in the Coast Guard and at the White House (as Deputy Chief of Staff for Cyber and Infrastructure Protection). While in industry, I have led government programs and major parts of the business at Symantec (in addition to leading Government Affairs for a number of years there). From Oct 2013- Feb 2016 I was the Chief Revenue Officer at iSIGHT Partners running the entire business. Currently I run the Global Solution Providers Business Unit, OEM outbound business, and Alliance Operations for FireEye


    Education

    CIPP, CISSP, Pragmatic Marketing launch and product management certifications.


    Industry Board Experience

    I have previously served on the boards of: National Cyber Security Alliance (NCSA), United States Coast Guard Academy Alumni Association, IT Sector Coordinating Council, and currently serve on 2 company boards.


    Skills & Expertise

    I can bring broad expertise from my time working in the military, government, and IT security industry. I work weekly with both CISOs, C-suite execs, and major IT outsourcing providers as they try to tackle the issues we face in cyber security. I can inform the board and staff on needs and requirements, training gaps that may exist, and how better to position and market (ISC)² with my marketing expertise.


    Goals & Objectives

    I have been a huge proponent of (ISC)² ever since being introduced to the organization while I worked at the White House under Richard Clarke on the first Government Strategy for Cyber Security. I was responsible for training, education and awareness within the strategy and met with (ISC)² and several other bodies/orgs to gain input to the strategy. The mission of (ISC)² is hugely important and needs to continue. Now I am also a member and have a CISSP certification from this great organization. I would love to give back.


    (ISC)² Strategic Contributions

    I would need to get educated quickly on efforts and programs to date before I can provide solid recommendations on what needs to be improved.


    Regional & Cultural Perspectives

    I currently manage teams around the Americas, EMEA and APJ. I travel to those regions frequently and am knowledgeable on culture and IT security needs in each of those regions.


    Professional Recognition

    I am a regular speaker at conferences, including RSA Conference, Black Hat USA, and US Govt Bilaterals as a delegate, I am a regular speaker and trainer at the Deloitte University program for veterans and transitioning officers. I currently sit on the CSIS Commission for Cyber Security advising the next administration on recommendations for improving security. I was a nominee for the WIT awards in 2016.


    Leadership/Management Experience

    I have held numerous leadership and management positions throughout my career in the military, government, and industry. See Linked In profile.


    Volunteer Experience

    I volunteer with the National Cyber Security Alliance (NCSA) in schools, and am a volunteer Coast Guard Academy Partner/Ambassador to help recruit talent into the academy.

About Board Elections

  • Board Election FAQs Board Election FAQs
    Q:

    How does the (ISC)² Board of Directors election process work?

    A:

    The election takes place for two weeks every year. All members in good standing as of the date specified in the election notice and of the date of the election may vote. The Board puts forth several recommended candidates each year, and members in good standing as of the date specified in the election notice may petition to have their names added to the ballot.

    Q:

    Who is eligible to vote in the Board election?

    A:

    (ISC)² credential holders in good standing as of as of 01 April 2017 and the date of the election 30 July 2017 can participate in the Board of Directors election process.

    Q:

    Why are only some Board positions available for election?

    A:

    Board members are elected to three-year terms, and those terms are staggered so that only one-third of the members stand for election each year. This is consistent with common practices for nonprofit organizations, providing continuity of leadership and stewardship.

    Q:

    Why doesn't the Board place a call for nominations?

    A:

    Early in the year, the Board begins looking for potential candidates for the Board. This review begins by asking for suitable nominations from its various advisory boards and committees. This search typically yields approximately 25 potential candidates. The Nominations Committee then spends time vetting the candidates against various criteria listed below. This nomination and vetting process ensures that candidates have demonstrated their ability and desire to provide their time and energies to the organization over an extended period of time and are likely to be productive Board members.

    Q:

    What does the Board look for in candidates it puts forth on its endorsed slate?

    A:

    When assembling the endorsed slate every election year, the Board is looking for a balance of experience and particular personal characteristics. Prospective Board candidates must:

    • Have an established record of leadership in the field of information systems security.
    • Have experience in a managing or directing strategic program across an enterprise.
    • Have earned the respect and trust of peers in the subject of information security.
    • Have an established record of advancing the field of information security.
    • Have not been a salaried employee of (ISC)² or its affiliates.
    • Possess the ability to: listen, analyze, think clearly and creatively, and work well with people both individually and in a group.
    • Have the willingness to prepare for and attend four or more in-person board meetings, weekly teleconferences and committee meetings, ask questions, take responsibility and follow through on a given assignment, and read and understand financial statements.
    • Create opportunities for (ISC)².
    • Have a commitment from his or her employer to support the time off from work required to support this commitment.
    • Have a willingness to cultivate and recruit future Board members and other volunteers.\
    • Possess honesty, sensitivity to and tolerance of differing views, and a desire to serve as a member of a team.
    • Be friendly, responsive, and patient in dealings with fellow Board members, and possess a sense of humor.
    • Adhere to the (ISC)² Code of Ethics.
    • Promote the agreed collective Board opinion above their own personal views.
    • Advocate for the organization. Work for change or acceptance where organizational views do not mirror those of the Board member.
    • Refrain from bringing the organization into disrepute through personal actions or words.
    • Qualify for eligibility based on the current (ISC)² Bylaws.
    Q:

    What selection criteria does the Board Nominations Committee use?

    A:

    The primary criteria used by the Nominations Committee are a matching of potential candidates to the ‘Experience and Personal Characteristics’ described above. The Committee will not nominate anyone whom the members feel, or know from experience, cannot meet these requirements. Above all, the Board is concerned with how well the membership will be served through the work and responsibilities of their proposed nominees.

    Q:

    Can (ISC)² members nominate others for Board election?

    A:

    Yes. As detailed in the (ISC)² Bylaws, the name of any qualified person who agrees to serve if elected may be submitted by a signed, written petition, of at least 500 members in good standing as of the date of the election announcement, to the Board at least 60 days in advance of the start of the election.

    Q:

    Why do the Bylaws set 500 members in good standing as the requisite number for the petition process?

    A:

    When the membership ratified the current Bylaws, they determined one percent was seen as a low enough number that could reasonably be achieved by any member, particularly given that signatures could be electronic and the numerous mediums that are available, both official and unofficial, for gathering those signatures. The Bylaws set a number that would not be so small as to make the process so easy as to be perfunctory and not accurately reflect the size of the organization but at the same time not so large as to be an impediment.

    Q:

    Does (ISC)² notify the membership when and how to recommend Board member candidates or prepare a petition for candidacy?

    A:

    While (ISC)² is not required to notify the membership of any deadline pertaining to the petition process according to its Bylaws, (ISC)² notifies its members of petition procedures and deadlines every year. The Bylaws provide that petitions for names to go on the official ballot must be received no later than sixty (60) days prior to the election in time for the Board to ensure that they are otherwise qualified and agree to serve if elected and to place them on the official ballot. Eligible members may vote for any qualified candidate who agrees to serve.

    Q:

    What are the instructions for submitting petitions* to nominate a Board candidate?

    A:

    To submit a petition, follow these steps:

    • No later than the deadline, submit a written or electronic petition to (ISC)², containing the signatures of no less than 500 (ISC)² members who are in good standing.
    • For electronic petitions, the candidate must submit an e-mail that contains (a) original encapsulated emails from supporters using their e-mail address of record and providing their (ISC)² member ID number; and, (b) an Excel spreadsheet listing of all such names with corresponding email address of record and (ISC)² member ID number.
    • All petitions will be verified to ensure that they meet all of the requirements. If yours does not, we will notify you as soon as possible, giving you the opportunity to resolve the matters that prevented your first submission from being accepted and submit a corrected petition.
    • If someone else nominates you, you may decline the nomination.

    *NOTE: (ISC)² does not endorse petitions. It is up to petitioners to promote their own petition and encourage other members to visit the site and "sign" their petition. (ISC)² will, however, send one email message per election year to all members on behalf of any candidate providing a link to more information about that candidate.

    Q:

    Other than receiving the required number of petition signatures, what determines if a candidate is qualified?

    A:

    The minimum qualifications, as set forth in the Bylaws, are that the candidate be a member in good standing, have sufficient command of the English language, meet the term limits requirement, and agree to serve if elected. Members may vote for anyone who meets this minimum qualification. See the question titled, "What does the Board look for in candidates?" for more details on candidate qualifications.

    Q:

    Where should I go if I have questions any about the Board of Directors election?

    A:
  • Board Election Timeline Board Election Timeline

     

    30 March 2017

    Announcement of election

    1 May 2017

    Board slate of nominees and electronic petition procedures announced

    31 May 2017, 5:00 p.m. EDT

    Deadline to submit petitions to ballot

    23 July 2017

    Announcement of instructions for electronic voting

    30 July 2017, 8:00 a.m. EST

    Electronic voting begins

    12 August 2017, 5:00 p.m. EST

    Electronic voting ends