Board Elections

You Control the Future

The (ISC)² Board Election will be conducted over the course of two weeks beginning on September 5, 2018 and ending on September 19, 2018 this year. All members in good standing as of the date specified in the election notice may vote in the election.

The Board puts forth several recommended candidates each year, and members in good standing as of the date specified may petition to have their names added to the ballot.

Board Slate

Board Slate 2018 Candidates
Gabriel Alexander Bergel, CISSP
Country/Region: Chile

Bio: Gabriel Bergel has 15 years of experience in different fields of information security, as a Consultant, Project Manager, Security Engineer, Information Security Officer, CISO and Leader Information Security Areas. He is a speaker at common courses, lectures, workshops and conferences for information security in different institutions, universities and events, both nationally and throughout Latin America. Currently Chief Strategic Officer (CSO) in Dreamlab Technologies and Chief Security Ambassador in 11Paths. He is a member of LAAC (Latin American Advisory Council) of (ISC)², Coordinator of the Center for Industrial Cybersecurity (CCI), President of the Chilean chapters of ISSA and (ISC)², as well as founder and organizer of 8.8 Computer Security Conference (the first and only hacker conference in Chile).

Experience in Business Strategy: Please detail your experience in managing a business or business unit, with special emphasis on strategic planning.

For years, Bergel has been in charge of the strategic planning. He currently has eight years of experience as the founder, organizer and CEO of the 8.8 Computer Security Conference, where one of his main functions is the strategic planning. Since last year in Dreamlab Technologies as the CSO, Bergel is responsible for the strategic planning of the company, PR and strategic alliances.

Professional Education: Describe any professionally-relevant higher education and/or professional education experience, training and certifications.

Computer System Engineer since 2002

CISSP certified by (ISC)²since 2006

ISO 27001 Lead Auditor certified by BSI since 2007

DRI CBCP certified since 2009

CISM certified by ISACA since June 2010

C|CISO certified by EC-Council since February 2013

Management Skills and Business Leadership postgraduate 2013-2014

Masters in Cybersecurity in the IMF Business School and the University Camilo José Cela (Spain)

Industry Board Experience: Please describe any current or past industry board experience, including your role, strategic contributions, and any measurable outcomes.

Bergel is a past president and founding member of the (ISC)²Chile chapter. During his time in office, the chapter attracted the community and gathered approximately 40 signatures to start the chapter in 2012. Since that date, the chapter has remained active by giving talks for the members, giving safety talks in the schools, reviewing scholarships of different programs, and translating the Safe and Secure Online material into Spanish. The chapter’s main achievement was to successfully hold Secure Chile, the first Secure event in Chile and the first (ISC)² Secure event in Spanish in South America. Bergel served as vice president of the board of the (ISC)²Chile chapter (2016-present) as well as president and founder of the board of the ISSA Chile chapter (2010-2016). Bergel earned the support of (ISC)²to hold Secure Chile and the 8.8 Computer Security Conference.

Skills and Expertise: Please describe specific areas of expertise you would bring to the Board and apply to the organization’s strategic planning.

Bergel considers himself a natural leader and usually achieves the goals he sets. He is proactive, motivated, ambitious, committed, responsible, and self-critical. His experience in the formation of the Chilean chapters of ISSA and (ISC)² gives him an in-depth knowledge of the idiosyncrasy of the Chilean and South American professionals and the strategies and techniques necessary to achieve the objectives that we set out as an organization. His work and time invested in the community through the leadership of the ISSA and (ISC)²chapters - and as founder of the 8.8 has made Bergel well-known in the Latin American information security community and having the opportunity to represent them on the (ISC)² Board of Directors motivates him a great deal.

Your Goals and Objectives: Why are you interested in serving on the (ISC)² Board of Directors, and where would you like to lead (ISC)² as a Member of the Board of Directors?

Bergel is interested in serving the Board so that they can better understand the Latin American culture, in order to design a strategy to bring the (ISC)²closer to the Latin American community. Even though the organization is known in the region, mainly due to its certifications, there is no full knowledge of the organization and its main pillars. One of his objectives is to get the professionals to be keen again, and to ensure that they get actively integrated in the organization as members, and to be able to increase the development of the certifications and have a larger presence in our region. Since he understands there are only approximately 1,300 members in LATAM against 85,000 in the U.S. alone, Bergel’s main contribution is in line with the number of members in LATAM. To lead the development of the members with the integration of the chapters in the region and expand the number of members with the support of the business area of (ISC)². He would also like to lead the Safe and Secure Online program for Latin America.

(ISC)² Strategic Contribution: What would you like to see done to improve (ISC)²’s strategic contributions to the information security community?

Bergel wants to see the number of members in the LATAM region increase significantly and would like to see more material, programs and events in Spanish, so that the region takes a quantitative and qualitative leap in relation to information security. In Berge’s opinion, despite agreeing that English is a universal language, the only way to get closer to the Latin community is to use the language spoken in the region. In fact, he considers that to hold holding the LATAM congress in Brazil in Portuguese has contributed to the low participation of the rest of the Latin community who all speak Spanish.

Regional and Cultural Perspective: Please describe any specific regional or cultural perspectives you may bring to the Board based on living and/or working in various regions of the world.

Bergel can bring to the Board all the experience gained when putting together the local chapters of (ISC)²and ISSA, and creating the 8.8 conference. It was hard and arduous work, but it was worth it. He has had the opportunity to work on projects and given talks in most of the countries of LATAM, and at present in his company, his team is formed by colleagues from different countries in both LATAM and Europe.

Professional Recognition: Please detail any recent or notable professional or peer recognition, including recognition of your skills, strategic contributions, or trust. Also include public speaking, authorship of notable books or papers.

(ISC)² Volunteer 2015 Premio Alumni Ingenierías 2015 description of the acknowledgment http://premiosalumni.unab.cl https://www.facebook.com/AlumniUNAB/?fref=ts I have been recognized by the media as one of the most renowned security professionals in Latin America (http://securityaffairs.co/wordpress/54225/hacking/hacker-interviews-gabriel-bergel.html)

Speaker at various local and international security and hacking conferences, such as: Segurinfo Chile, Novared Security Workshop (Chile), ESET Security Day, FIDAE (Chile), Seminario de Riesgos en Banca Electrónica y Canales Alternos (Chile and Peru), Cyber Security Banking (Peru), 8.8 Bolivia, Lima Hack (Peru), Congreso of the UNAM (Mexico), DragonJar (Colombia), Seminario Mind The Gap, SBIF (Chile), Andsec (Argentina), Foro Latinoamericano de Medios de Pago (Colombia), Patagonia Hacking (Chile), Congreso Internacional de Ciberseguridad Industrial (Chile), Campus Party Sao Paulo (Brasil), Charruacon (Uruguay), OWASP Latam Tour Bolivia, MoscowC0n (Rusia), PHD (Rusia), (ISC)² Security Congress Latin America (Brasil), 8.8 Perú, Bsides Chile, SAS Kaspersky (Mexico), as well as TV and news appearances, including Cyberwar: https://youtu.be/_OIdogrtNCU CSA https://youtu.be/hi5_BeaJIGA andEl Interruptor - VIA X https://youtu.be/vvZFCUU26xY CIA and Car Hacking https://actualidad.rt.com/video/233610-cia-recurrir-sistemas-inalambricos-controlar-coches Informe Especial, caso “Huracan” http://www.24horas.cl/programas/informeespecial/alex-smith- por-pruebas-en-operacion-huracan-me-di-cuenta-que-habia-manipulacion-2669103

Information Security Experience: If you have specific information security experience you feel would be relevant to the board, please include here.

Bergel has had the opportunity to work in large multinational companies leading the areas of information security. At Unimarc, the third largest retail company in Chile, he had the mission of arming the area from scratch, hiring people, developing policies, buying all the necessary security technology, defining the architecture and finally managing to integrate more than 21 supermarket chains in a safe and technologically controlled way. Currently he works at Dreamlab Technologies Chile after having been the Director of Professional Services, he is now the CSO and in charge of defining the strategy that allows us to reach the goals defined by the parent company as well as responsible for PR and company representation at international conferences, and the definition and concretion of strategic alliances. For the past year he has also been the Chief Security Ambassador (CSA) in Eleven Paths (Cybersecurity Brand of Telefónica), and he was offered this position based on knowledge of the region and recognition in the community. Furthermore, Bergel is the CEO of 8.8, the Coordinator of the Center of Industrial Cybersecurity of Spain (CCI), and teacher of the subject information security at the Andrés Bello University.

Leadership or Management Experience: Please describe any relevant leadership or management experience in any part of your professional career.

Bergel has had the opportunity to lead and manage areas of information security by developing important projects such as Unimarc. He also led the creation of the Chilean chapter of (ISC)²and was part of the board that created the Chilean chapter of ISSA. He is the Founder, Organizer and CEO of 8.8 (www.8dot8.org); and two years ago created the CISO Club, which bi-monthly gathers more than 60 CISOs from large companies where successes, projects and research are presented by the same CISOs. Last year they also created the 8.8 Junior whose purpose is to be a security conference that teaches young students. Last year, attendance included 400 students from different schools in Santiago. He is also part of the board that created Bsides Chile

Volunteer Experience: What experience do you have working as a volunteer, including charitable organizations?

Bergel’s main work as a volunteer has been with (ISC)²and ISSA where he has spent a lot of time forming the local chapters and keeping them active. For the past six years, he has been part of the LAAC. He is passionate about giving safety talks in schools and does them them ad honorem. Monthly, he contributes financially to the Rose Foundation, which cares for the elderly, the Down Foundation, for children with Down's syndrome, Firemen of Chile and annually to the Teletón, a foundation that rehabilitates people with a disability.
Dr. Kevin Charest, CISSP
Country/Region: USA

Bio: Dr. Kevin Charest serves as the divisional senior vice president and chief information security officer for Health Care Service Corporation. He is responsible for all aspects of IT security operations across HCSC’s five plan states, including actively monitoring and mitigating current cyberthreats and overseeing the governance, risk and compliance program.

Dr. Charest comes to HCSC from UnitedHealth Group, where he served as the VP of IT security and cyber defense operations. Prior to joining UnitedHealth Group, he served as the chief information security officer for the U.S. Department of Health and Human Services (HHS) and was directly responsible for the HHS cybersecurity technology portfolio.

Prior to joining the federal government, Dr. Charest served in a number of entrepreneurial and senior executive positions in the private sector. His leadership in technology applications, innovation and security were instrumental to the development of numerous products and services.

Dr. Charest currently serves as a board chair for (ISC)², the largest international information security certifying body in the world. Additionally, he works across multiple industries and platforms focused on information sharing for cyber defense improvement broadly.

Dr. Charest holds a Ph.D. in Cybersecurity from Capella University. He also holds a master’s degree in Business Administration from the University of West Georgia and a bachelor’s degree in Computer Science from the University of Central Arkansas. He is also a veteran of the United States Marine Corps and the U.S. Army.

Experience in Business Strategy: Please detail your experience in managing a business or business unit, with special emphasis on strategic planning.

Dr. Charest has had numerous positions in his career where he was responsible for providing the vision and strategic planning for an entire enterprise-wide information security program. In his most recent position with United Health Group, he developed the vision and strategy for the deployment of a global cyber defense operational model which covers the entirety of this Fortune 14 company. Prior to joining United Health Group, he served as Chief Information Security Officer for the U.S. Dept. of Health and Human Services. As the head of this program for the department, Dr. Charest was responsible for the development and execution of the entire program to ensure compliance with federal regulation but more importantly to create a diverse program capable of support and facilitating the mission of the agency while maintaining a high degree of security posture.

Professional Education: Describe any professionally-relevant higher education and/or professional education experience, training and certifications.

Dr. Charest has an undergraduate degree is in Computer Science, an MBA in Information Technology, and a Ph.D. in IT with a specialization in Information Assurance and Security. His research centered on end-user response to IT security threats where he validated a theoretical construct utilizing neutralization and avoidance theory. His professional certifications include CISSP, HCISPP and PMP. He served on the committee that developed the standard and testing criteria for the HCISPP certification.

Industry Board Experience: Please describe any current or past industry board experience, including your role, strategic contributions, and any measurable outcomes.

Dr. Charest served in a technical advisory board role for an emerging technology company in the IT security space, specifically focused on the healthcare critical sector. His capacity has been to validate theoretical approaches and provide mentorship on the development and utilization of their technology. The company was a recent top three finalist in the Maryland Technology challenge for 2015 and has begun to deploy their products into such prestigious organizations as Johns Hopkins, where they have already had success in enhancing their security posture.

Skills and Expertise: Please describe specific areas of expertise you would bring to the Board and apply to the organization’s strategic planning.

Dr. Charest’s forte is in practical application of information security practices in the defense of the enterprise against bad actors and those who wish to do harm and disrupt operations. Dr. Charest would like to assist the Board by contributing to the advancement of theory in information security to the practical application and operation which leads to effective protections and enhanced security posture for an organization. He looks forward to serving beside colleagues of such caliber and for the opportunity to enhance the professional though his association with (ISC)² and the Board.

Your Goals and Objectives: Why are you interested in serving on the (ISC)² Board of Directors, and where would you like to lead (ISC)² as a Member of the Board of Directors?

Dr. Charest wants to serve on the (ISC)² Board of Directors because he sees it as a continuation of desire to give back the field of endeavor that he has spent the last 20+ years tackling. The premier position of (ISC)² represents a significant opportunity for impact. The global reach and the recognition of the organization as the leader in setting standards and creating the body of knowledge for information security practitioners is second to none and Dr. Charest wants to be in a position to contribute to that, and the utilize earned expertise as an operational information security expert to benefit others in the profession. Sharing leading practices and mentoring others was a foundational element of the way Dr. Charest conducts himself as a professional, and serving on this Board would be the ultimate opportunity to do just that work.

(ISC)² Strategic Contribution: What would you like to see done to improve (ISC)²’s strategic contributions to the information security community?

(ISC)² has set the standard among other organizations that have attempted to create a body of knowledge and provide a basis for professional certifications which can be used to ascertain a level of competence within the information security profession. Given that exceptional foundation, Dr. Charest would like to see (ISC)² provide even more content leadership centered on practical application of the domain body of knowledge and more specifically to the area of information security operations and cyber defense operations. The current threat environment dictates the need to train and enhance the capabilities of professionals in our field across the globe.

Regional and Cultural Perspective: Please describe any specific regional or cultural perspectives you may bring to the Board based on living and/or working in various regions of the world.

As a member of the U.S. military serving in both the Marine Corps and the U.S. Army, Dr. Charest has had the privilege of serving his country in many regions of the world and came to appreciate the people and the cultures to which he was exposed during that time. In addition, as an information security practitioner, he hasbeen responsible for global cyber defense operations and security operations in more than 55 countries with a myriad of local laws and regulations and social mores. Today he has the honor of leading a world-wide cyber defense operation for United Health Group which is rich in multi-cultural contributors and provides challenges and growth opportunities for Dr. Charest as he navigates the various requirements and needs for such a diverse organization.

Professional Recognition: Please detail any recent or notable professional or peer recognition, including recognition of your skills, strategic contributions, or trust. Also include public speaking, authorship of notable books or papers.

Dr. Charest received the National Security Agency Frank B. Rowlett Cybersecurity Individual Award (2012), and was a finalist for the GTRA GOVTek Excellence in Cybersecurity Award Finalist (2012). He was nominated for theISE Southeast Security Executive of the Year Nominee (2011) and authored his dissertation, “Factors affecting user behavior and conformance to information security practices: Are end users really the problem?” which provided theoretical validation for end-user threat response behaviors observed in the research population. Dr. Charestalso has had the opportunity to speak at numerous information security conferences both as a keynote speaker as well as serving on and facilitating several panel discussions on a variety of information security topics relevant to practitioners.

Information Security Experience: If you have specific information security experience you feel would be relevant to the board, please include here.

Dr. Charest has served in the profession at all levels within the information security realm and brings a pragmatic approach to information security and its effect on the organization and those in it.

Leadership or Management Experience: Please describe any relevant leadership or management experience in any part of your professional career.

Dr. Charest has served as a senior leader in multiple organizations over the last 20+ years. His senior leadership positions have spanned both public and private organizations and a broad cross-section of responsibilities from VP of Professional Services for IMSHealth, Executive Vice President for WiFiMed an Electronic Medical Record company, VP and CISO for Greenway Medical Technologies, CISO for U.S. Dept. of Health and Human Services, and my current position as VP IT Security and Global Cyber Defense Operations for United Health Group. His ability to develop a vision and subsequent strategy has allowed him to enjoy a career of successful execution of critical key initiatives which have had a positive material impact on each organization he has been fortunate enough to work with in his career to date.

Volunteer Experience: What experience do you have working as a volunteer, including charitable organizations?

Dr. Charest has had several experiences in volunteering with charitable organizations, bothsecular and faith-based. During his tenure in the U.S. federal government he worked on the Combined Federal Campaign which serves more than500 charitable organizations. In each of his three campaigns, the group was able to meet or exceed their contribution objectives. He has also volunteered and served as a member of the (ISC)² group that created the HCISPP certification and resulting testing criteria.
Aloysius Chai Luen Cheang, CISSP
Country/Region: Singapore

Bio: Aloysius Cheang is a senior corporate executive with extensive experience in managing and delivering direct business values in strategic, complex multi-million dollar IT programme and business projects for Global 500 organisations worldwide. He is a globally recognised cybersecurity expert and has worked on a wide variety of complex technology and business problems. In his line of work, Aloysius has managed large multi-cultural, multi-disciplinary team spread across 5 continents and 4 major time zones, many a time building up the business from scratch.

While currently running iSyncGroup an IoT start-up in stealth mode, he was most recently EVP, Co- Founder and Managing Director Asia Pacific for the Cloud Security Alliance (CSA), covering the entire Asia including China, Japan the Indian sub-continent and ANZ, and doubled up as the organisation’s Chief Standards Officer. During his tenure with the CSA, Aloysius was instrumental for the superlative expansion of the CSA outside of the U.S., obtaining critical executive buy-in and adoption from both the private and public sectors in the rest of the world as well as being influential in political and economic groups such as the ISO, INTERPOL, ITU-T, APCERT, ASEAN etc. In the area of global cloud security standardisation, he had harmonised the adoption of various standards and national regulatory requirements across the globe based on CSA best practices and guidelines such as the CSA STAR series and was the internal sponsor for the development of the CCSP certification, not only bringing together but spearheading the collaboration between the CSA and (ISC)² in a collaboration that took more than 2 years to materialise. Currently he still sits on various boards in various tertiary institutions, lending his advice for the development of cybersecurity related degree programme for these institutions of higher learning and retains an advisory role in the some of the social-economic and political groups mentioned above. Previous to the CSA, Aloysius was a global Head of Security with one of the largest telecommunication company in the world, a Technology Practice Leader covering Asia and the Middle East for a leading U.K. based management consulting company and a Security and Forensic Practice Leader in Singapore for a big 4 firm. He was protem chairman for Association of Information Security Professionals in Singapore from 2006-2007 and had chaired its predecessor, SIG^2, one of the first (ISC)² ALIG member in the world from 2002 to 2006 in Singapore. Additionally, he was a former Head of Delegation for the Singapore National Body to ISO and the author of ISO/IEC 27032 “Guidelines for Cybersecurity" International Standard.

Aloysius holds B.Sc (Hons) and Masters in Computer Science from the National University of Singapore. His professional certifications include CISSP, CISA and GCIH. Aloysius’s views are valued by major media globally such as BBC, Times, Wall Street Journal, ZDNet, CIO, The Straits Times and ChannelNewsAsia as an independent source of specialist opinion.

Experience in Business Strategy: Please detail your experience in managing a business or business unit, with special emphasis on strategic planning.

Current (iSyncGroup)

Develops high quality business strategies and plans ensuring their alignment with short-term and long-term objectives

Build trust relations with key partners and stakeholders and act as a point of contact for important shareholders especially with the Board and investors

Lead and motivate subordinates to advance employee engagement develop a high performing managerial team

Oversee all operations and business activities to ensure they produce the desired results and are consistent with the overall strategy and mission

Enforce adherence to legal guidelines and in-house policies to maintain the company’s legality and business ethics

Review financial and non-financial reports to devise solutions or improvementsSource for suitable financial funding that will be synergistic and critical for the further development of the company’s business in line with the company’s strategy

Professional Education: Describe any professionally-relevant higher education and/or professional education experience, training and certifications.

Cheang graduated with a B.Sc (Hons) in Computer Science and M.Comp from National University of Singapore and the following are professional certifications and technical courses he attended:

Microsoft Most Valuable Professional – Consumer Security by Microsoft

Certified Information Systems Security Professional by (ISC)²

Certified Information Systems Auditor by ISACA

GIAC Certified Advanced Incident Handling Analyst by SANS

Institute EnCase Intermediate Computer Forensic Training by Guidance Software

Linux Certified Professional by GNU SAIRS IDA

Pro Disassembler Training by Data Rescue

Application Engine Development and OS Internals Trainings Device Driver Training by Symbian

Device Driver Training by Redhat

Industry Board Experience: Please describe any current or past industry board experience, including your role, strategic contributions, and any measurable outcomes.

Cheang has contributed to the community and built up the recognition and achieved targets as a result of the strategies of these organisations during my tenure with them:

Board Director and EVP for Asia Pacific Centre for Strategic Cyberspace + Security Science

Honorary Chairman, Taiwan Cyber Security Alliance

Member, School of Infocomm Advisory Committee, Republic Polytechnic, Singapore

Member, Industrial Advisory Board, National Cyber Safety and Security Standards, India

Member, National Cloud Computing Advisory Council, Singapore

Member, Industry Advisory Committee, Faculty of Information and Communication Technology, Mahidol University

Member, Industry Advisory Committee and Fellow, Singapore Institute of Technology

Member, Industry Advisory Board Cybersecurity Lab, University of Waikato

Member, Industry Advisory Committee, College of Electrical Engineering and Computer Science, National Taiwan University of Science and Technology

(Former) Board Director Asia Pacific Advisor, Cloud Security Alliance

(Former) Singapore NB Head and representative

ISO/IEC JTC 1 SC 27 and contributor to ISO standards ISO/IEC 27001/2, ISO/IEC 13335 and ISO/IEC 24762

(Former) Member Security and Privacy Technical Standards Technical Committee under IT Standards Committee, Singapore

(Former) Co-Editor, ISO/IEC 27032 – “Guidelines for Cybersecurity”

(Former) ISSA CSO round-table member and Cybersecurity advisor (2006 – 2008), USA

(Former) Protem President and Co-Founder, Association of Information SecurityProfessionals (“AISP”) and its predecessor, Special Interest Group in Security and Information Integrity (“SIG^2”), Singapore

(Former) Industry Advisory Panel member, The National Technical Authority for Information Assurance (“CESG”) and Council of Registered Ethical Security Tester (“CREST”), UK

(Former) Protem member, Institute of Information Security Professional (“IISP”),UK

Skills and Expertise: Please describe specific areas of expertise you would bring to the Board and apply to the organization’s strategic planning.

Cheang will bring to the table the following:

Expertise in starting and managing community of practice: He has been deeply involved in starting community of practice for the past 18 years, for example SIG^2 (AISP) in Singapore, ISO/IEC JTC 1 SC 27, ITU-T SG 13 and SG 17 and CSA globally. He has nurtured within these groups further specialization such as research and development andpromote networking. He believes he will be most useful in cultivating new research working groups working on solving technical questions to incubating standardization, building up think tank capability, and building spheres of networking via chapters and other social activities.

Ability to connect and provide that mindshare to senior decision makers in both governments and corporations worldwide. As a senior executive for my day jobs, I have been a trusted advisor to governments and companies worldwide for the past 12 years. 3) Connect to the professional information security community. As a community leader and a practitioner, I can definitely connect with well with the information security communities worldwide, and command a high level of trust and respect because I am one of them and I have went through the entire career ladder ground up and thus can relate to their nuances and concerns.

Your Goals and Objectives: Why are you interested in serving on the (ISC)² Board of Directors, and where would you like to lead (ISC)² as a Member of the Board of Directors?

Cheang enjoys contributing to the information security community, so the opportunity with the (ISC)² Board of Directors will offer a platform to do much more. He wants to see more quality content delivered to members. He wants to provide more opportunities for not simply networking, but quality networking. He likes being able to articulate not only the issues and problems that information security will bring to the, but what it is necessary to build up this capability and be the voice for our members providing a two-way communications are created for members to come together and demystify information security amidst business and social concerns, providing a clear, consistent and transparent message that will reduce the push back that people have with regard to information security today.

(ISC)² Strategic Contribution: What would you like to see done to improve (ISC)²’s strategic contributions to the information security community?

Strategically, Cheang believes we need to do the following better:

Delivery of quality content to members. This does not mean (ISC)² generated content or any other paid content, but content that is created within the (ISC)² community, by the community for the community. For example, research working group, focus group discussion, CXO roundtable and think-tank establishment, standards and labs.

Development of quality networking opportunities. Leveraging on the delivery of quality content, one can also provide quality networking opportunities, that is well match to the interest and demand of the targeted group.

Assisting members to translate knowledge from paper to practice. Research working groups/projects and standardization that codify the knowledge are things that Cheang wants (ISC)² to do better as elaborated earlier, but how these codified knowledge can be translated into practical implementation, POC in progress, how to adopt them in real life in our companies. This would be key.

Providing a clear and well-defined career roadmap that is adopted by governments and corporations worldwide. Cheang and others do not like to see CISSP and other (ISC)² certifications appearing in job descriptions and tender documents, but in internal HR process as well, that will featured prominently as a requirement in their career progression and for continuous education.

Regional and Cultural Perspective: Please describe any specific regional or cultural perspectives you may bring to the Board based on living and/or working in various regions of the world.

Coming from Singapore and being a regional leader in APAC for the last seven years with the CSA, Cheang will bring a strong regional focus in APAC where he can galvanize this region into action as a leader, especially with the ascension of Asia with the development of emerging markets such as China, India and ASEAN. In particularly for ASEAN there is a great divide, and Cheang sees education and professional training as the key to bridge the gap.

Professional Recognition: Please detail any recent or notable professional or peer recognition, including recognition of your skills, strategic contributions, or trust. Also include public speaking, authorship of notable books or papers.

Please refer to https://aloysiuscheang.wordpress.com/ for a list of accolades, public speaking and media interviews activities

Volunteer Experience: What experience do you have working as a volunteer, including charitable organizations?

Board Director and EVP for Asia Pacific Centre for Strategic Cyberspace + Security Science

Honorary Chairman Taiwan Cyber Security Alliance

Member, School of Infocomm Advisory Committee, Republic Polytechnic, Singapore

Member, Industrial Advisory Board, National Cyber Safety and Security Standards, India

Member, National Cloud Computing Advisory Council, Singapore

Member, Industry Advisory Committee, Faculty of Information and Communication Technology, Mahidol University

Member, Industry Advisory Committee and Fellow, Singapore Institute of Technology

Member, Industry Advisory Board, Cybersecurity Lab, University of Waikato

Member, Industry Advisory Committee, College of Electrical Engineering and Computer Science, National Taiwan University of Science and Technology

(Former) Board Director and Asia Pacific Advisor, Cloud Security Alliance

(Former) Singapore NB Head and representative

ISO/IEC JTC 1 SC 27 and contributor to ISO standards ISO/IEC 27001/2, ISO/IEC 13335 and ISO/IEC 24762

(Former) Member, Security and Privacy Technical Standards Technical Committee under IT Standards Committee, Singapore

(Former) Co-Editor, ISO/IEC 27032 – “Guidelines for Cybersecurity”

(Former) ISSA CSO round-table member and Cybersecurity advisor (2006 – 2008), U.S.

(Former) Protem President and Co-Founder, Association ofInformationSecurity Professionals (“AISP”) and its predecessor, Special Interest Group in Security and Information Integrity (“SIG^2”), Singapore

(Former) Industry Advisory Panel member, The National Technical Authority for Information Assurance (“CESG”) and Council of Registered Ethical Security Tester (“CREST”), UK

(Former) Protem member, Institute of Information Security Professional (“IISP”), UK

(Former) Advisory Board Member, National Infocomm Competency Centre

(Former) Volunteer, National Volunteer & Philanthropy Centre
Cindy Cullen, CISSP
Country/Region: United States

Bio: Cindy Cullen, CISSP, CCSK, CISM, ITILv3, MSCsc, has held a CISSP for over 15 years and has worked in cybersecurity in telecommunications, finance, pharmaceutical, healthcare, on government projects and with security vendors. Her extensive and varied background makes her an excellent candidate for the (ISC)² Board. She has experience in cybersecurity research, innovation, hands-on technical work and is an experienced senior manager including as Chief Cyber Security Strategist at Hewlett Packard Enterprise, Chief Technology Officer at SAFE BioPharma, Chief Information Security Officer at Bellcore and most recently as an Advisory Consultant to various Fortune 500 companies and governments.

Experience in Business Strategy: Please detail your experience in managing a business or business unit, with special emphasis on strategic planning.

As Chief Cyber Security Strategist at HPE she provided strategic leadership on product development interfacing with customers and product management to design products that meet business/industry needs. She was instrumental in integrating multiple products to provide solutions to meet the customer needs, strategy on product development (i.e. adding SAAS and business partner SAAS). Cullen’s team signed one of the largest contracts for the security organization. While at Bellcore, Cullen ran the Security and Fraud Solutions Business Unit. She managed strategic and tactical plans, business development, sales team interactions, customer development, business partner development, staffing, contracts, SLAs and vendor management. Under her leadership the program grew by 30 percent.

Professional Education: Describe any professionally-relevant higher education and/or professional education experience, training and certifications.

Cullen has a Master’s in Computer Science and more than twenty years’ experience in cybersecurity. She has a CISSP, Certified Information Security Manager (CISM), Six Sigma Black Belt (SSBB), CCSP and Information Technology Information Library ITILv3.

Industry Board Experience: Please describe any current or past industry board experience, including your role, strategic contributions, and any measurable outcomes.

Cullen has had a lifelong interest in education. She served on the Bridgewater-Raritan Board of Education as a publicly elected official for nine years including as President, Vice President, and chairman of committees. Her accomplishments include enhancement of computer education courses, collaboration with municipal government and public library system, greater performance accountability and strategic personnel changes. Additionally, she was re-elected three times!

Skills and Expertise: Please describe specific areas of expertise you would bring to the Board and apply to the organization’s strategic planning.

Cullen has extensive strategy and planning experience across cybersecurity products and services development, as well as leadership at nonprofit associations providing educational and professional programs. Cullen has the ability to see the issues, propose solutions and get the project completed. For example, when she started as CTO the solution was adopted by only a handful of people. She re-designed the technical and business strategy. She proposed a technical redesign, re-architected the solution, provided oversight on move to the cloud, and facilitated a POC including a public private partnership with NCI. As Advisor, Cullen took an identity and access management project had languished for three years and was able to complete the project in six months. Additionally, a few weeks before a conference was scheduled to take place, attendance was extremely low. Others wanted to cancel the conference, but Cullen insisted the “show go on.” The conference was a major success with a near capacity crowd and was an excellent fundraiser for the (ISC)² NJ Chapter.

Your Goals and Objectives: Why are you interested in serving on the (ISC)² Board of Directors, and where would you like to lead (ISC)² as a Member of the Board of Directors?

As a member of the (ISC)² Board of Directors, Cullen will facilitate expanded involvement of (ISC)² certificate holders, increase the number of certificate holders, increase types of certifications, increase the community outreach program and expand the reach of (ISC)² via communities, chapters andsocial media.

(ISC)² Strategic Contribution: What would you like to see done to improve (ISC)²’s strategic contributions to the information security community?

There are three areas Cullen would like to see enhancement to (ISC)²’s strategic contribution to the information security community. Those are • Address the shortage of qualified information security professionals • Attract a diverse population to the industry and to involvement within (ISC)² • Raise the level of involvement of (ISC)² in policy and standards development.
The number one challenge facing the information security industry is lack of qualified cybersecurity professionals. (ISC)² is assisting in addressing the shortage in many ways with certifications, chapters, webinars and training programs and Cullen would like to see continued strengthening of chapters, creating stronger relationships with universities at the Chapter level, and greater collaboration within (ISC)². As a chapter leader, Cullen has developed relationships with New Jersey universities. She has managed Capstone projects for the New Jersey Institute of Technology student graduate projects that provide real world experience. The Capstone project is developing a few vulnerable sites and providing access to open source vulnerability testing tools (i.e. metasploit, ZAP, wireshark…) so that students receive hands-on experience. (ISC)²would benefit from greater involvement in policy development at the local, national and international levels. There is a need for expert guidance and insights for legislators and government leaders and standards bodies. This would enhance (ISC)² standing in the industry, provide badly needed expertise and lead to much better legislation and standards.

Regional and Cultural Perspective: Please describe any specific regional or cultural perspectives you may bring to the Board based on living and/or working in various regions of the world.

On a regional basis, Cullen has been involved in giving back to the cybersecurity community by being actively involved in regional activities – giving cybersecurity presentations at a regional (PA, MA, NY, NJ, DC) at a national (FL, CA, CO, MN, IL, …) and international (Japan, U.K., Germany, Slovenia, Malaysia, Singapore) level. Additionally, she has managed outsourced services throughout the world. Cullen has experience interfacing with support and service delivery organizations around the world including Brazil, Ireland, Yugoslavia, Slovenia, Philippines, and India.

Professional Recognition: Please detail any recent or notable professional or peer recognition, including recognition of your skills, strategic contributions, or trust. Also include public speaking, authorship of notable books or papers.

Cullen was awarded the Digi for pioneering use of inter-operable digital identities by the National Cancer Institute (NCI) and industry cancer researchers that demonstrates how clinical trial initiation can be accelerated while reducing costs. Her project was awarded the ComputerWorld Laureate Honor for "Research Collaboration in the Cloud: How NCI and Research Partners are using Inter-Operable Digital Identities, Digital Signatures and Cloud Computing to Accelerate Drug Development" and was recognized by United States National Strategy on Trusted Identities in Cyber Space (NSTIC). Cullen is a recognized national and international speaker receiving invitation to speak worldwide at various conferences such as (ISC)² Congress, Secure Boston, SECON2017, NYMJCSC, RSA, ISSA, OWASP, DIA, OASIS, HOPE, Burton Group, NIST, and IDTrust.

Information Security Experience: If you have specific information security experience you feel would be relevant to the board, please include here.

Cullen has more than twenty years’ experience in cybersecurity including as CISO, CTO, Chief Cyber Security Strategist and Cybersecurity Advisor. She has developed programs to address all facets of cybersecurity. As a recognized national and international cybersecurity professional and has spoken at various conferences, including (ISC)²Congress, Secure Boston, SECON2017, NYMJCSC, RSA, ISSA, OWASP, DIA, OASIS, HOPE, Burton Group, NIST, and IDTrust.to list a few. cynthiadcullen.com https://www.linkedin.com/in/cindycullencissp/

Leadership or Management Experience: Please describe any relevant leadership or management experience in any part of your professional career.

At Bellcore, Cullen led a team of 30 cybersecurity consultants increasing the size of the organization and sales by 30 percent. As CTO, Cindy set the technical direction for a digital identity for the healthcare and pharmaceutical industry. This included rearchitecting the solution to make it user friendly, compliant with national and international standards, implementing the technical infrastructure, and obtaining adoption in U.S. and EMEA including explicit mention in regulations. As a Fellow at Institute of Critical Infrastructure, she provided thought leadership through interviews, publications, webinars, and other educational offerings including advising U.S. Congress on technology policy. As Chief Cyber Security Strategist, Cullen worked with the application design teams and Fortune 50 customers to ensure products met business needs of customers, developed sales strategies. Her team won the largest multimillion dollar contract.

Volunteer Experience: What experience do you have working as a volunteer, including charitable organizations?

Cullen is a cybersecurity community leader with five years as an officer in (ISC)² NJ Chapter including three years as president, and one year as President of NJ Central Chapter of OWASP. Under Cullen’s leadership the (ISC)² NJ Chapter expanded program offerings, expanded social media presence, increased membership, increased attendance at meetings to be on average 60 people and collaborated with regional associations such as ISACA, ASIS, OWASP, and ISSA and government agencies including NJ Cyber Security Communications and Integrations Cell and FBI. The chapter has developed strong ties with New Jersey City University, New Jersey Institute of Technologies including hosting conferences, mentoring students, and managing Capstone projects. Additionally, Cullen has served as a publicly elected official for the Bridgewater-Raritan Board of Education for nine years including as VP and President. She led various committees including curriculum, public relations, and finance managing a budget of $125 million.
Paul Innella, CISSP-ISSMP
Country/Region: USA

Bio: Twenty-five years of corporate executive, cybersecurity, and computer science experience.

Founded, financed, and built TDI into a world-class consulting firm offering cybersecurity services to government agencies and commercial clients around the world. Grew TDI year after year to be a multimillion dollar, consistently-profitable company servicing hundreds of clients. Secured, negotiated and ensured execution on hundreds of contracts with end customers, government agencies, and strategic partners.

Founded TDI in 2001 to pursue cybersecurity as its core competency. Since inception, ran TDI to lead hundreds of cybersecurity initiatives, establishing outstanding credentials in nearly all areas of cybersecurity engineering. Pushed employees to pursue the latest developments in cybersecurity through active lecturing at international conferences, publishing articles, and working on the cutting edge of cybersecurity development programs, particularly through internal research and development program.

Recognized cybersecurity expert and corporate executive who has published articles and conducted interviews (Financial Times, Forbes, ABC News, FOX News, Federal News Radio, MSN, EuroNews, ComputerWeekly, Washington Business Journal, CSO, SC Magazine, etc.) and delivered seminars and lectures to a worldwide audience. Employed as a subject matter expert on and technical advisor to commercial companies and projects at global universities and U.S. government agencies.

Advised a client list that includes the likes of British Telecom, DARPA, the U.S. Navy, DeutscheBank, and the International Monetary Fund.

Graduated from James Madison University with a degree in Computer Science, attended graduate courses at Johns Hopkins University, and Executive Programs at Cambridge University Judge Business School, IMD, University of Edinburgh Business School, and University College of Dublin Business School.

Certified Information Systems Security Professional (CISSP) - Information Systems Security Management Professional (ISSMP), Certified Information Security Manager (CISM), and NSA IAM professional.

Established and currently chair the charitable “White Hat USA” organization - established with the goal of raising money, through the Cybersecurity community, to help children at Children’s National Medical Center. Board Member of JMU STEM Executive Advisory Council, Children’s Hospital Foundation Board, WashingtonExec’s Cyber Council, Don Ciccio, and Co-Chair of Children’s National Corporate Advisory Council. Previously, Vice President of Education for Board of National Chapter of the Information System Security Association (ISSA).

Experience in Business Strategy: Please detail your experience in managing a business or business unit, with special emphasis on strategic planning.

Having founded, financed, and built TDI into a world-class consulting firm, offering cybersecurity services to government agencies and commercial clients around the world, Paul Innella has particularly unique experience in business strategy. He grew TDI year after year to be a multimillion dollar, consistently-profitable company servicing hundreds of clients. He has secured, negotiated and ensured execution on hundreds of contracts with end customers, government agencies, and strategic partners. Specifically, he has more than twenty years of management experience and has defined a vision for, developed, and executed on strategic plans for organizations in their infancy to maturity and looking to exit. As CEO, he is charged foremost with growing the firm through a well-defined vision supported by strategic plans and tactical initiatives which he influences, guides and directly or indirectly oversees. Geographically, TDI has customers and associated employees in the United States, England, Bahrain, Singapore, Japan, and Guam, all within his remit. The three critical areas he focuses on as leader of the company are providing vision and direction, making the most important decisions, and monitoring execution of TDI’s strategic plan with a keen eye to instill strategic, decisive, and critical qualities in the firm’s culture, particularly at the executive level. Directly or indirectly he is responsible for, and intimately familiar with: sales, contracts, finance, service delivery/operations, IT, HR, security, and virtually all aspects of this business. Along the way, he has charted strategies for moving the firm from infancy to exit, services only to R&D and product development, and taking processes and procedures and turning them into intellectual property.

With the growth of TDI, he has personally mapped internal strategies on partnerships, teaming, pricing, recruiting, infrastructure, facilities, security and clearances and even office management and employee culture. For example, Innella defined a strategy to overcome price competition in the U.S. government marketplace which loomed evident as a growth inhibitor for his firm. While the U.S. government market has been shrinking, cybersecurity services have not. Nonetheless, these otherwise high-end services have become commoditized leading to a decline in prices.

Consequently, they spent years battling with larger firms who can absorb lower costs across a larger direct labor base as well as a customer who insists on paying “lowest cost,” all the while expecting quality to remain consistent. He learned to survive in this marketplace but needed a strategy to grow and thrive. Through a combination of partnership, ensuring value through unique differentiators, and financial management he executed on a strategy to be both price competitive and provide value to their customers. Organizationally, his executive team assumed too much of the day-to-day responsibilities one should expect a company’s middle tier to champion.

Historically,  they were unable to pass down some critical responsibilities below the highest level in the firm. In response, he formulated a strategy to address this organizational problem and, as an expected consequence, increase TDI’s revenues by allowing his executives to focus on growth. He implemented this strategic plan which tied middle management’s performance metrics to measurable goals for which at-risk compensation and promotion within the firm was tied, ensuring true accountability. In addition, Innella addressed a void in the company’s culture by promoting growth from the lowest tiers and defining career progression as a reward coupled with one’s ability to support TDI’s progression. Even as a cybersecurity consultant in TDI’s earliest stages, he delivered strategic plans for many of TDI’s customers, including the United States Drug Enforcement Administration (DEA), U.S. Department of Housing and Urban Development, and Monster. For example, at the DEA he analyzed the operations environment of their cybersecurity and IT divisions   to assess risks in their cybersecurity practices. From this, Innella developed a recommended strategy of implementing particular security processes/procedures/policies, providing associated budgetary recommendations and estimations, and suggesting organizational restructuring to demonstrate how these organizations should optimally conduct operations. As TDI just completed its seventeenth year of business, he is currently executing on a final strategic plan for a large capital raise leading to a strategic exit for the company. To do so, he secured a second in charge who has taken the role of President and COO. In doing so, he unhampered himself to investigate significant alternative methods of growth primarily through exploitation of clearly articulated intellectual property and development of a SaaS product. Innella’s intent is to garner investment to either acquire or build new sources of revenue generation to realize an exit within 24-36 months. Afterwards, he wants to focus full-time on launching several new ventures that he has been working on. One might argue this is a personal strategy yet he finds these all to be progressive steps in execution of a business strategy which has evolved over time and through necessity. In short, he has two decades of experience in objectively examining and assessing business and operations, seeing future requirements for these, developing a strategic plan to meet those requirements, and successfully executing on the plan.

Professional Education: Describe any professionally-relevant higher education and/or professional education experience, training and certifications.

EDUCATION:

James Madison University, B.S. Computer Science, Minor in Mathematics, 1995

Johns Hopkins University, M.S. Computer Science, Half-Complete

IMD Business School, International Seminar for Top Executives Program, 2008

Cambridge University Judge Business School, Advanced Leadership Programme, 2016

University of Edinburgh Business School, MBA Course: Financial Aspects of Mergers and Acquisitions, 2016

University College of Dublin Business School, Executive Development: Winning Negotiation Strategies, 2016

PROFESSIONAL CERTIFICATIONS:

CISSP-ISSMP - Certified Information Systems Security Professional - Information Systems Security Management Professional

CISM - Certified Information Security Manager

NSA-IAM - NSA INFOSEC Assessment Methodology Certification

Tripwire Certified Professional

Centrax Certified Professional

Certified Network ICE Professional

eCertification Certified Web Security Professional

Industry Board Experience: Please describe any current or past industry board experience, including your role, strategic contributions, and any measurable outcomes.

Innella has the following board experience:

Chair, White Hat USA - He established White Hat USA in 2012 with the goal of raising money to help children at risk while providing networking opportunities for members of the cybersecurity community. The sole recipient of all White Hat USA endeavors is Children’s National Health System in Washington, DC. The goal of White Hat USA is to provide philanthropic endeavors throughout the year. At a minimum, White Hat USA ensures one event per year to bring members of the cybersecurity community together for a gala in support of Children’s National Health System. He formed the White Hat USA Steering Committee as a collective of cybersecurity luminaries to ensure the success of this organization and to guide, advise, contribute, and participate in various events and initiatives. Having finished its fifth year in 2017, White Hat has raised $2 million for Children’s while being hailed as the Washington DC area’s foremost cybersecurity gala, bringing together many of cyber’s largest vendors and the area’s biggest defense contractors and consulting firms.

Board Member, Children’s Hospital Foundation Board - For several years now, Innella has helped guide the direction of Children’s Hospital Foundation Board, serve as its ambassador, and help raise needed funds for the Foundation. The Foundation is the fundraising arm of Children’s National Health System in Washington, DC which raises ~$70 million per year. Part of his participation on the Board is vocally and through insightful opinion pieces recommending leadership that established a longer term strategic plan, demanded results, and ensured coordination and communication between various Children’s endeavors – previously extraordinarily stove-piped. His participation helped lead to the overhaul of the Foundation’s leadership to include its President. Furthermore, a unifying branding campaign is now underway, rallying underneath the banner event, Make March Matter, in which TDI is a lead participant.

Board Member, James Madison University STEM Executive Advisory Council – Innella is an active participant in support of JMU’s STEM mission. As part of the STEM Board he provides guidance on issues ranging from curriculum to infrastructure. In addition, he has encouraged internship programs with JMU to recruit new talent into TDI. He recognizes the future stars of cybersecurity are currently in the hallowed halls of learning. As an example of his belief in academic backing, Innella directed TDI’s collaboration with JMU and its Department of Computer Science. He started the TDI/JMU Cyber Defense Fund and supported a wide-range of activities which enhanced the CS curriculum, scholarship and outreach. TDI’s Fund went towards equipment, travel, workshops, speakers, conferences and competitions like the VA Tech Cyber Capture the Flag Summit where JMUrecently ranked third in the competition. Dr. Simmons, JMU CS Department Head, said “TDI’s support of our Cyber Defense program enables cyber defense related travel and upgraded infrastructure for the program. The students benefit greatly!”

Co-Chair Children’s National Corporate Advisory Council - As Co-Chair, Innella leads the Council of C-Suite and Senior Executives in fulfilling the CAC’s mission of making Children’s National the charity of choice in the National Capital Area. It is his charge to ensure members of the council offer their business expertise and talents to help expand corporate philanthropic support of Children’s National. Council members have four main roles that the co-chairs foster and oversee: advisors, advocates, ambassadors, and philanthropic supporters of Children’s National. He has successfully brought corporate leaders together to contribute their time, expertise, and business acumen to advise on philanthropic business development strategies to meet and grow the Foundation’s fundraising goals. He ensures the council provides an independent, unbiased sounding board for brainstorming and implement new corporate fundraising initiatives; expand into their networks to enhancerelationships between the private sector and Children’s National; and serves as ambassadors for Children’s National to link the organization to the corporate community and potential funders. Through his direction, the CAC has been come to be called the informal Cabinet of Children’s by its CEO, drafted and delivered the Corporate Giving Guide for Children’s, and delivered guidance on coordinating social media activities to tie together corporate philanthropy under the Children’s umbrella.

Board Member, WashingtonExec’s Cyber Council – Innella actively supports the mission of the WashingtonExec Cyber Council to bring together cybersecurity thought leaders from all industry sectors to share knowledge and trends associated with the growing cyber threat, human capital development, remediation and risk reduction strategies, and STEM initiatives associated with cyber.

Previous Board Member and Information Systems Security Association National Capital Chapter Vice President of Education

Board of Advisors, Forge Nano

Board of Advisors, Don Ciccio LLC

Board of Advisors, Angelina Holdings LLC

Previous Board of Advisors, GetIT LLC

Skills and Expertise: Please describe specific areas of expertise you would bring to the Board and apply to the organization’s strategic planning.

There are unique experiences in one’s career which may ultimately define their character and   shine light on their strengths. For Innella, starting a company from nothing and then running while growing it over nearly two decades has naturally shown his qualities. He has had to learn nearly all aspects of business – from accounting to federal contracting law to establishing joint ventures – in order to fully grasp the challenges that lie in his path. At each turn, it became essential to intimately learn the problem and then quickly address it through a well thought out strategy. In short, his company’s very existence is defined through the strategies he developed and upon which he executed tactical plans. It is this capacity to first listen and then understand a given problem, passionately and extemporaneously advocate for a solution to it – generally by way of a lucid story - and ultimately develop and execute a strategy to overcome these challenges which truly defines Innella. This specific area of expertise will be of great benefit to the (ISC)² Board of Directors as it strategically plans. In addition, his diverse Board service has proven that he is anything but shy in terms of offering constructive opinions, particularly in group settings. His experience and character will contribute insightful and thought-provoking discussions to the entire Board as it is his opinion one should serve on a Board with the goal of solving problems via active engagement and honest sharing of ideas. Finally, he started a charitable non-profit organization which hasraised $2 million for children in just five years’ time. He also serves on numerous philanthropic boards and so he can bring experience with non-corporate Board achievements for community betterment.

Your Goals and Objectives: Why are you interested in serving on the (ISC)² Board of Directors, and where would you like to lead (ISC)² as a Member of the Board of Directors?

Since entering the cybersecurity space some 20 years ago, Innella has endeavored to improve the field through active participation in the cyber community at large, volunteering his time and resources, freely offering expertise via lectures and publications, and by building a company whose entire value system promotes cybersecurity advancement. During TDI’s very first year of business, in fact, he ensured one of TDI’s core values – proudly displayed on the company website and within their offices – reads: We have a responsibility to contribute meaningfully to the field of cybersecurity, influence its evolution, and set the standard. Through his direction, this value permeates the firm’s culture and everything they do, from R&D to consulting. For the better part of his professional career, Innella has been focused on making the industry better than it is today. As an advocate and ambassador of (ISC)²’s mission, he feels this challenge is one he is most comfortable with, performing in this role for James Madison University and Children’s Hospital as part of his Board service for these organizations. Moreover, he would look for avenues on how to engage other organizations like these to participate in the mission of (ISC)² and to expand the reach of cybersecurity’s allure so the field may broaden its supporting base. Finding challenges like these and corresponding strategies to address them is something Innella is most passionate about and would very much like to participate in (ISC)²’s Strategic Planning Committee. In this capacity he would hope to lead strategies that look for opportunities to broaden outside organizational participation while encouraging passion in cybersecurity in youth. Leveraging frameworks of other organizations, while simultaneously supporting them, to successfully grow the (ISC)² brand through expansion of our field is - to Innella –  a great place to start.

(ISC)² Strategic Contribution: What would you like to see done to improve (ISC)²’s strategic contributions to the information security community?

While a Member of Boards such as Children’s National Medical Center and James Madison University’s STEM Program Innella has advocated for and ensured execution of a strategy to be philanthropic, engender support of and passion for these organizations, and propagate this message via social media. He would like to bring this mentality to the (ISC)² Board of Directors and has a specific idea on how he might do so. Innella believes (ISC)² has an opportunity to strategically improve its community involvement – meaning the broader community at large – while in concert creating a passion for cybersecurity in youth, especially in female youth. Innella would like to support the launch of a program to develop innovative learning technology for children to understand and get interested in cybersecurity; e.g., a videogame focused on hacking into a fortress. We would advocate the dissemination of this technology in hospitals, shelters, and    homes that focus on children. In his experience, through volunteering and hospital board participation, children are voracious consumers of any technology and technological concepts, including at times the machines that keep them alive. He has further noticed there are just as many girls as boys in hospitals who are using available technology. For example, at Children’s National, most children who have learned and used technology in their workshops are female. By providing children with a technological means to become inspired by cybersecurity we achieve the following:

Future professionals and leaders in the cybersecurity space

A far greater likelihood of attracting women to our field with early life exposure to cybersecurity, helping to close the serious gap created through having only 11 percent of cyber professionals being female

Philanthropic support of our community at large

We could begin with Children’s National and see how that could spread out to other organizations. To address how we might garner the involvement of industry we could create an award targeting support of philanthropy through the use of or in the name of cybersecurity. While he is well-aware of the (ISC)² awards - from the (ISC)² Harold F. Tipton Award to the Fellow of (ISC)² - he believes there is an opportunity for another award for those in our community who endeavor to use our profession for philanthropic goals. We could begin by gathering industry leaders and letting them know about the program and encouraging their support. Those who choose to get involved would be urged to develop the tools we discussed earlier, focusing on getting children excited about cyber. We may then perhaps call the award something like the (ISC)² Honorem Communitatis Servitium.

Regional and Cultural Perspective: Please describe any specific regional or cultural perspectives you may bring to the Board based on living and/or working in various regions of the world.

His family, upbringing, work and social lives all revolve around an adamant demand for an international existence and perspective. Innella was born an American citizen in Istanbul, Turkey to his mother, an Italian citizen at the time, and his father, an American-born son of Italian and Irish immigrants. His father was in the U.S. Navy and traveled the world and in so doing met Innella’s mother who had grown up in Turkey with her Italian family. He spent the first five years of his life in Europe and Asia, from Turkey to Greece to Italy and France before settling in the United States. The larger part of his family live abroad so he spent many childhood summers living in Rome, also visiting family in Turkey and France. Innella’s mother speaks five languages so she also instilled in her children a great appreciation and respect for language and culture of all kinds. As a family, they often traveled overseas. While growing up, at every turn he seized upon opportunities to travel overseas like in high school where Innella joined the choir to travel and sing in Finland, Estonia and the Soviet Union – when it was still in fact the U.S.S.R. He studied abroad for many months, and on different occasions, through full immersion in Italy and architectural studies in Greece and Turkey. Again homing in on culture, he delivered an Honors Program speech - while at university - on research he completed aligning cultural mores of contemporary Turkey and Greece to architectural intentions of the ancients whose ruins still dot those lands. Innella has always cherished the unequaled experience one gains through immersing oneself in cultures beyond one’s home.
To that end, living overseas after university on repeated occasions and for extended periods of months at a time in London, Rome, and Florence, all the while traveling around to other localities, Innella chose his first full-time position of employment, exploiting his computer science degree, at a company which supported U.S. embassies around the world for the sole purpose of being able to travel to said embassies and he did so to Japan, Indonesia, and the Philippines. Soon thereafter he accepted another position – mostly influenced by the possibility of travel - whereby settling in London for many months to run the European engineering operations for a cybersecurity software company. Innella was able to travel the whole of Europe in this position, interfacing daily with German, English, French, Italian, Swiss, Spanish and many other nationalities. Had he not begun his company 17 years ago, it is without a doubt he would have chosen to live overseas somewhere strategically located to allow for frequent and diverse travel. Nonetheless, Innella ensured his passion for travel and cultural awareness and education was constantly satisfied. Of the speeches he has delivered, nearly half of those were in a foreign land. In addition, using relationships he forged over his lifetime he opened an office for his company in London having already established a trusted colleague to run its operations and staff to carry out contracted work. In addition, he has often been asked why he chose to engage in executive seminars or participate in conferences overseas versus those more local – his response is consistently the same: without the perspective of those outside one’s borders one cannot truly understand the world, how it works, and how to work with one another. Consequently, Innella has always identified as a person borne of many cultures. In fact, a Brazilian professor - Jose Santos - at the University of Cambridge’s Advanced Leadership Programme, a three-week executive educational program representing nearly 20 nations, said Innella was a “bi-national” as he had clearly identified in an academic paper he authored. To drive the point home, over the last ten years alone Innella has spent well over two months of every year in a country other than his home, traveling to countries outside of the United States almost 100 times. Whether it be nuances of regional cuisine, colloquial variations of certain lexicon, or unique points of view only gained through a worldly life experience, Innella has endeavored his entire life to ensure his influences did not only develop by way of his next-door neighbors.

Professional Recognition: Please detail any recent or notable professional or peer recognition, including recognition of your skills, strategic contributions, or trust. Also include public speaking, authorship of notable books or papers.

AWARDS:

SmartCEO 100 Best-Run Companies

Smithsonian OIT Letter of Commendation

WHITE PAPERS, INTERVIEWS, & PUBLISHED ARTICLES:

“Some States to Start Auditing Election Results to Check for Vote Fraud,” eWeek, Interview, November 2017

“North Korea Getting Ready Wage a Global Cyber War, Experts Say,” eWeek, Interview, November 2017

“Rogue governments using ‘off the shelf’ hacks, Google warns,” Financial Times, Interview, September 2017

“Addressing the deficit in cyber security workforce and national policy,” HelpNet Security, Interview, July 2017

“White House, businesses hit snooze button after Petya, WannaCry wake-up calls,” Third Certainty, Featured Story, July 2017

“Industry Reactions to Destructive NotPetya Attacks: Feedback Friday,” SecurityWeek, Interview, June 2017

“We can't accept election hacking as a new normal,” CSO, Interview, June 2017“Can A.I. Defend Our Financial Institutions Against Hackers?” Forbes, Interview, May 2017

“Surviving a cyber attack with Paul Innella,” ABC News, Television Interview, May 2017

“Despite the tears, WannaCry may not spark action,” SC Magazine, Interview, May 2017

“Russian suspected of U.S. election hack arrested in Spain,” SC Magazine, Interview, April 2017

“Trump leaves key cybersecurity jobs vacant across the government,” ThinkProgress, Interview, March 2017

“What the WikiLeaks document dump tells us about theCIA's Frankfurt base,” FOX News, Interview, March 2017

“Protecting the enterprise against mobile threats,” CSO, Interview, February 2017

“Trump gets mixed reviews on cybersecurity, one month in,” SC Magazine, Interview, February 2017

“Cybersecurity in 2017: Managing chaos in an age of unavoidable attacks,” siliconAngle, Interview, February 2017

“Trump White House CISOCory Louie Reportedly Removed From Post,” SC Magazine, Interview, February 2017

“Paul Innella: Targeting federal cybersecurity’s not-so-smart practices,” Federal News Radio, Radio Interview by TomTemin, January 2017

“Why companies offer a hacking bounty -- and why there are challenges,” CSO, Interview, January 2017

“Top Ten Hacks,” MSN, Interview, 2013

“WWIII on the WWW,” EuroNews, Television Interview, 2013

“State of Cyber Security,” Center for a New American Security, Interview, 2013

“Cyber Security and Terrorism,” WTOP Federal News Radio, Radio Interview by JJ Green, 2006

“Al-Qaeda in Hacking War Says Head of Security Firm,” ComputerWeekly, April 2006

Information Security Experience: If you have specific information security experience you feel would be relevant to the board, please include here.
Innella is extensively experienced in a broad array of information security topics having spent the bulk of his work career prior to TDI working as a cybersecurity engineer and subsequently in TDI’s formative years continued to consult on numerous cybersecurity topics. While in the early stages of TDI’s growth, he provided the following services to TDI’s customers: cybersecurity and vulnerability assessments, cybersecurity policy review and design, IT auditing, asset identification and valuation, software development security review and training, education, security awareness training, legal security review and implication training, specialized security services, and product recommendations and integration. He also served as Subject Matter Expert on projects to the NYSE, HUD, USMC and Monster.com.

Leadership or Management Experience: Please describe any relevant leadership or management experience in any part of your professional career.
Innella founded, financed, and grew TDI into a world-class multi-million dollar profitable consulting firm offering cybersecurity services to government agencies and commercial clients around the world. Tackling various management challenges over the last 17 years, he made many decisive leadership moves to ensure TDI endured and thrived. He changed his own leadership style to adapt to the state of the business – in particular with respect to size and culture given TDI began as a privately-funded company which grew from a single initial employee. He spent time defining three critical areas to focus on as leader of the company. Most often, Innella provides vision and direction, makes the most important decisions, and monitors with a keen eye to instill strategic, decisive, and critical qualities in TDI’s culture, particularly at the executive level. He inspires stakeholders by branding TDI’s image through its message, motto, and mode. He has conveyed to TDI employees the message of leadership in the field of cybersecurity. To lead his team into the future, he developed the internal motto that TDI is not an IT company doing cyber security, “we are cybersecurity,” and ultimately translated this into TDI’s current slogan which drives TDI’s culture: Information Assured, Cyber Secured. For more than 20 years, he’s had to learn about all aspects of running a company from back-office to the front stage.

Volunteer Experience: What experience do you have working as a volunteer, including charitable organizations?
As CEO and 90 percent owner of TDI, Innella’s philosophy, and one he has endeared to all of his staff, is they are not simply about protecting the bottom line. He embraces participation in and giving back to the cyber and at-large communities. Philanthropically, he takes part in and sponsors events for children, battling cancer, soup kitchens and more. Combining professional networking and philanthropy, he founded a major cyber gala, White Hat, which has raised nearly $2M for children. To engage academia and grow future cyber leaders, he sponsors a cybersecurity fund and hackathons at universities. At TDI, he has made sure “we put our money where our proverbial mouths are” and get involved, from academia to professional associations to philanthropic endeavors in our communities.
Siu Cheong Leung, CISSP, CCSP
Country/Region: Hong Kong

Bio: Mr. SC Leung is currently the Centre Manager of the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) which is operated by the Hong Kong Productivity Council. He supervises the security incident response team and coordinates with local and overseas parties. He has more than 25 years of experience serving a variety of industries including banking, internet service provider, telecommunication service provider, consultancy and software distribution.

In 2001, he founded the Professional Information Security Association (PISA) with a group of passionate professionals in Hong Kong. PISA gradually developed into a strong organization in Hong Kong and later became the host of the (ISC)² Hong Kong Chapter.

SC Leung has actively participated in (ISC)² and is currently a member of the (ISC)² APAC Advisory Council. He has also served in the (ISC)² APAC ISLA judging panel and on the (ISC)² Chapter Governance Committee. Leung has been recognized for his volunteer work and product neutral security awareness education to the public. He received the (ISC)² President’s Award in 2013 and the Asia-Pacific Information Security Leadership Achievement honouree in 2007.

He holds several information security designations including CISSP, CCSP, CISA and CBCP and is a certified Trainer of the TRANSITS I international CSIRT training. He is a frequent speaker in promoting information security awareness. Leung has been invited to speak for Hong Kong Monetary Authority, Securities and Futures Commission, CLP, MTR, Hong Kong Gas, Hong Kong Police Force, Government departments, enterprises, universities and schools and local non-governmental organizations. He had also spoken in overseas conferences for (ISC)², FIRST, APCERT, National CSIRT Meeting, APECTEL, CNCERT/CC of China and the National University of Singapore. He was the founding member of several associations in Hong Kong including PISA, the Internet Society Hong Kong and Cloud Security Alliance Hong Kong and Macau Chapter. Currently he holds posts as the Vice Chairperson (External Relationship & Membership) of Cloud Security Alliance Hong Kong and Macau Chapter, as the Director of Internet Society Hong Kong, and as the Chief Editor of the PISA Journal.

Experience in Business Strategy: Please detail your experience in managing a business or business unit, with special emphasis on strategic planning.

Leung has managed the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) for 17 years, during which time he gained valuable management experience, including:

(1) Setting goals and developing strategy for HKCERT - Every CERT is a unique organization with regard to its constituency, funding source, authority provided by local law and regulation. Accordingly, Leung helped setting up the vision and mission.

(2) Building strategic partnerships - Leung identified and engaged key partners, such as local government bodies, law enforcement, regulatory bodies, critical internet infrastructure organizations, global CERTs community (FIRST, APCERT) internet organizations (APNIC, DotAsia) security vendors and researchers.

(3) Acquiring funding and resources from government and sponsors, while managing the financial aspects of projects.

Board experience in several voluntary information security associations also aid Leung in providing advice in chapter management strategy.

Professional Education: Describe any professionally-relevant higher education and/or professional education experience, training and certifications.

Leung possesses the following academic qualifications:
• Master of Arts in Arbitration and Dispute Resolution, City University of Hong Kong
• Master of Science (Hons.) in Computer Science, University of Wollongong
• CE Diploma of Information and Internet Security, City University of Hong Kong
• Bachelor of Science (Hons.) in Electronic Engineering, Chinese University of Hong Kong
Leung possesses the following Professional certifications:
• CISSP
• CCSP
• CISA
• CBCP
• Certified Trainer of TRANSITS I

Industry Board Experience: Please describe any current or past industry board experience, including your role, strategic contributions, and any measurable outcomes.

(1) Leung was the founding member of Professional Information Security Association (PISA), Internet Society Hong Kong and Cloud Security Alliance Hong Kong and Macau Chapter. He has led the drafting of the Constitutions and Bylaws, and establishment of external relationship with government and professional bodies. He was a key member in the formation of the (ISC)² Hong Kong Chapter under PISA, as well as in preparing the agreement between (ISC)² and PISA.

(2) He is currently a board member of the following organizations:
• Vice Chairperson (External Relationship & Membership), Cloud Security Alliance Hong Kong and Macau Chapter
• Director, Internet Society Hong Kong

(3) In his service as the Founding Chairperson of PISA in 2001, he demonstrated his vision in organization and strong partnership. He established the programme committee outside the executive committee which formed a strong foundation of PISA and initiated several external projects which built strong partnerships with local and overseas organizations.

In 2002 PISA initiated the Wi-Fi Wardriving Study in Hong Kong and in 2003, PISA partnered with WTIA, an local industry association in wireless technology, to bring this project to a wider IT community. In 2003, SARS hit some Asian economies, Leung led a joint project of PISA with two partners in Singapore (BCP Asia and (SIG)2) to conduct a comparative study of contingency measures adopted in Hong Kong and Singapore. The result was published to raise the awareness of professionals in Hong Kong and Singapore. In 2004, he led a joint project of PISA with AiTLE, an association of IT teachers in schools, to develop a security assessment guidebook for school environment. He also founded the PISA Journal in 2005 and acted as the Chief Editor. He led coordination efforts with (ISC)² with ISOC and CSA to organize the (ISC)² SecureHongKong Conference.

Skills and Expertise: Please describe specific areas of expertise you would bring to the Board and apply to the organization’s strategic planning.

(1) Forming strategic partnership with different organizations
Security is not an island. It requires collaboration of multiple agencies, both public and private. Leung hopes his experience in cross-border and cross-sector collaboration, information sharing, and the human network in the Asia Pacific can benefit the (ISC)² Board of Directors through connecting more partners to further (ISC)²’s objective to be the leader of global information security professionals.

(2) Effective chapter management
(ISC)² is actively developing chapters globally to extend the reach to the professional community and to provide better service to members. Chapters are also platforms for grooming leaders and gathering forces to serve the community. Leung has more than 17 years of experience in the formation and management of chapters for international organizations and lessons learned in Hong Kong forming a chapter based on a successful local information security association can be modeled elsewhere.

(3) Conducting strategic projects that help promoting cybersecurity to government, regulatory bodies, and the community at large
Cybersecurity becomes a key policy area for governments. Throughout his work in HKCERT and involvement in PISA, Leung has contributed to projects that impacted on public policy. To cite a few examples:

• Wi-Fi Wardriving Tracking Study: an annual survey started in 2002 by PISA. The study provides a tracking survey of the use of Wi-Fi secure protocol in Hong Kong. The study had successfully attracted media and public attention and helped promoting public secure awareness in the use of Wi-Fi in these years. The government regulatory body on telecommunication (OFCA) had presented this study in international arena.

• Study on Security Issues of Mobile App SSL Implementation: a joint project of PISA and HKCERT in 2015. They assessed the flaws of SSL implementation in common mobile apps in Hong Kong which had transaction function. The study found that one-third of the surveyed mobile apps had different kinds of flaws that gave opportunity for attackers. The project also provided a practice guide for mobile developer to put security implementation of SSL in the SDLC. The study aroused interests of the public and mobile app development community. The regulatory bodies like Hong Kong Monetary Authority, Securities and Futures Commission and the Office of Personal (Data) Privacy Commission had followed up the cases of problematic mobile apps.

• Hong Kong Enterprise Cyber Security Index Survey: the study was first conducted in 2018 by Hong Kong Productivity Council, HKCERT and SSH Security Communication. The index was devised to track the ongoing comprehensiveness of security measures adopted in the enterprises.

(4) Promotion of cybersecurity for Smart City
Smart City initiative is a key policy of governments in developed economies. The initiative brings about challenges in both security and privacy. One of the key challenges involves a cultural change and process re-engineering to many operational technology (OT) engineers who are not IT practitioners today. While in the future most of the devices connected to the Internet are managed by these OT practitioners, they have a weak sense or understanding of cybersecurity. Leung has had practical experience in promoting cybersecurity to this audience including Cyber Security International Conferences for Industry 4.0. He led the planning and execution of two conferences in 2017 by Hong Kong Productivity Council for manufacturing, logistics, trading, import/export, food industries and academia, and engaged with the industry leaders. International experts were invited to share the cyber security threats to industrial control systems and IoT, security framework, technologies, human and cultural aspects of the problem.

Your Goals and Objectives: Why are you interested in serving on the (ISC)² Board of Directors, and where would you like to lead (ISC)² as a Member of the Board of Directors?

It would be Leung’s honour to join the course to achieving these goals:

(1) Bringing information security to a new height in the digital transformation by engaging a wider community.
(ISC)² can give security assurance to the society in the digital transformation (such as smart city, smart industry, use of data analytics, AI and machine learning) as a trusted body by defining the required security practices and partnership with other industry sectors (e.g. smart industry) to engage non-IT professionals to adopt these practices.

(2) Promoting the status of information security professionals as the leaders in change
(ISC)² has a community of information security professionals who possess the knowledge and experience in dealing with management and technical challenges in digital transformation, and the ethical commitment to protect the interest of people in terms of security and privacy. The (ISC)² ISLA programme has helped the sector gaining more reputation and attention from the industries. Leung would like to see the impact of this programme reach a wider community of non-IT profession.

(3) Enhancing the information security profession development in a changing environment
(ISC)² has defined the common body of knowledge (CBK) in information security. The CBK should evolve with the changing environment. We must review the new environmental changes like smart city, privacy protection regulation, demand for hands-on practical skills and distant learning. We also need to look at the grooming of professionals and research in earlier stage of education.

(4) Contributing to the Society
The (ISC)² Safe and Secure Online programme is a valuable work that offers resources for educators, leaders, and volunteers everywhere to teach the community cyber safety. Leung would like to see it be further developed and provide more tools and videos for use.

(ISC)² Strategic Contribution: What would you like to see done to improve (ISC)²’s strategic contributions to the information security community?

(1) Finding the best solution in enhancing the development for professionals.
(ISC)² must respond to the growing demand for professional development. There is demand for practical hands-on training on top of the conceptual knowledge; there is requirement for self-paced online training but also closely guided tutorship. On the other hand, there are other certifications which may also try to address these needs. Leung likes to see (ISC)² partnering with other organizations to provide those trainings and certifications or mini-certifications.

(2) Serving the needs of members in their profession
Additionally (ISC)2 has to serve the needs of members in their profession. Information Security professionals face a great demand to keep updated with the vulnerabilities, cyber threats, compliance requirements, security framework and best practices. (ISC)²’s Security Central was designed to address the problem, but it can be further enhanced. Information sharing is a key to get abreast of cyber threats. (ISC)² can consider providing members with a subscription-based trusted sharing platform for members. Forming a community of cross-border information security professionals would be of high value. Integration of the services (webinar information, threat intelligence and discussion forum seems to be a way to make the access easier). Along this line of thinking we must make the services more convenient to access, for example, via a mobile app.
(3) Developing a strong youth professional development program

Leung would also like to see more work done in developing a strong youth professional development program. Some economies are grooming information security professionals at an earlier stage. The (ISC)² International Academic Program is designed for partnership with academic and higher education institutions globally to support the development of curricula and teaching for cyber, information, infrastructure and software security. Besides the IAP, security contests in schools and universities and formation of clubs/association within the institution would be the next step. Local chapters can get involvement with resource support from the (ISC)² office to promote cybersecurity in schools and universities like workshop and capture the flag.

Regional and Cultural Perspective: Please describe any specific regional or cultural perspectives you may bring to the Board based on living and/or working in various regions of the world.

Leung was educated in Hong Kong and Australia. His work in HKCERT has close liaison with regional organizations like CERTs and security vendors & researchers. Together with his participation in the (ISC)² APAC Advisor Council, Leung can bring in a trusted human network in Hong Kong and the Asia Pacific. Besides his connection with global CERTs and security organizations, and participation as the director of international organizations like Internet Society and Cloud Security Alliance, he can help bringing these international connections, especially that of Asia Pacific to the Board.

Professional Recognition: Please detail any recent or notable professional or peer recognition, including recognition of your skills, strategic contributions, or trust. Also include public speaking, authorship of notable books or papers.

Leung has received several awards from industry recognitions:

• (ISC)² President’s Award in 2013
• (ISC)² Asia-Pacific Information Security Leadership Achievement honouree in 2007 and the showcase honouree
• IT Excellence Award 2013 by a Hong Kong magazine eZone

He has also been invited to deliver speeches, training, and to attend panel discussion in Hong Kong by organizations, including Hong Kong Monetary Authority, Securities and Futures Commission, CLP, MTR, Hong Kong Gas, Hong Kong Police Force, Government departments, enterprises, universities and schools and local non- governmental organizations. Leung has also spoken in overseas conferences for (ISC)², FIRST, APCERT, National CSIRT Meeting, APECTEL, CNCERT/CC of China and the National University of Singapore.

Information Security Experience: If you have specific information security experience you feel would be relevant to the board, please include here.

Leung has 17 years of experience in CERT management and actively participated in the coordination of APCERT Cyber Drills, bringing the cyber drill exercise to Hong Kong for ISPs and critical infrastructure players. He developed the business continuity plan for HKCERT and conducted consultancy work in BCP, CSIRT training, network and security review, implementing secure network, managing the ISP network and security infrastructure. When working in the banking industry, Leung was a key person in developing the system and security health monitoring for Fastwire, the bank’s payment system connecting to SWIFT. He led information security surveys that gauge community views on cybersecurity and first-hand study on mobile app security, In recent years, he has focused on building cross-sector information sharing and collaboration platform in Hong Kong, and smart industry cyber security training for operational technology staff in critical infrastructure.

These new areas would be his contribution to (ISC)².

Leadership or Management Experience: Please describe any relevant leadership or management experience in any part of your professional career.

Professional:

• Centre Manager, HKCERT (2001-present)
• Technical Manager, Globalnet Telecommunication Limited (2000-2001)
• Chief Technical Specialist, Sema Group (1999-2000)
• Senior LAN Administrator, New World Telephone (1997-1999)
• Senior Technical Specialist, Standard Chartered Bank (1991-1995)
Voluntary Service:
• Vice Chairperson, Membership of Cloud Security Alliance Hong Kong and Macau Chapter
• Vice Chairperson, Strategic Committee, the Professional Commons
• Past Chairperson, Internet Society Hong Kong
• Past Chairperson, Professional Information Security Association (PISA)

Volunteer Experience: What experience do you have working as a volunteer, including charitable organizations?

Leung has served as a volunteer speaker for Secure and Safe Online Program of (ISC)² and (ISC)² to Government talks. He has also led a group in Professional Information Security Association to work with AiTLE, a local teacher organization to produce an information security assessment guide for schools in Hong Kong
Dr. Brian David Anthony Mussington, CISSP
Country/Region: United States

Bio: David Mussington is currently Professor of the Practice at the University of Maryland, College Park School of Public Policy. Most of his early career was spent working at Department of Defense think tanks, beginning with RAND Corporation from 1995 to 2006, and returning to security policy research at the Institute for Defense Analyses (IDA) in 2013, initially working full time – and now a member of their adjunct research staff. In the intervening period, he joined Amtrak as a counter-terrorism analyst, rising to serve as Chief – Corporate Security in 2009, before joining the Department of Defense as Senior Advisor for Cyber Policy in the Office of the Secretary of Defense (OSD) in 2010. In 2011, he joined the National Security Council Staff as Director for Surface Transportation Security Policy, serving there until the end of President Obama’s first term in 2013. These varying experiences gave him a deep background in public policy analysis, and a sense that some of the analytical lessons learned are not easily applied in the private sector. Since 2013, he has led various projects in the cyber policy and international security domains, consulting for NATO on cyber plans and military doctrine, serving as a consulting CISO at the Bank of Canada (the country’s central bank), and participating with international colleagues from nations as disparate as India, the Netherlands, the U.K., France, Russia, and China on track 1.5 discussions of nascent cyber norms and conflict avoidance. At the University of Maryland, his responsibilities as director of a research center are much broader than cyber policies and risk management, focusing on the potential for public-private partnerships to augment capacity for solutions to some of the most pressing problems confronting governments and the citizens they serve.

Experience in Business Strategy: Please detail your experience in managing a business or business unit, with special emphasis on strategic planning.

Mussington served as a strategist at the U.S. Department of Defense, leading development of the first enterprise-wide cyber strategy in 2011 - titled the Defense Strategy for Operating in Cyberspace. He also led development of the Bank of Canada’s first Cybersecurity Strategy in 2014. At RAND Corporation and elsewhere, he was involved in strategy and policy development efforts and directed critical infrastructure policy and strategy operations and strategies from 2008-2010 as Chief - Corporate Security at Amtrak

Professional Education: Describe any professionally-relevant higher education and/or professional education experience, training and certifications.

Mussington has earned both a B.A. and M.A. degree in Economics and Political Science (respectively) from the University of Toronto, and a Ph.D. in Political Science from Carleton University. He conducted post-doctoral research at Harvard University, the International Institute for Strategic Studies in London England, and at the Center for Non-Proliferation Studies at the Monterey Institute of International Studies (now Middlebury College at Monterey). He came to the United States in 1991 to conduct post-doctoral work at the Harvard Kennedy School. While there, he worked on denuclearization efforts designed to secure and safeguard spent nuclear materials and sensitive scientific data, preventing diversion of these items to proliferators of weapons of mass destruction, or to terrorists. Mussington found this work incredibly rewarding and taught him the value of policy informed by empirical data and analytic rigor. It also showed him the value of experience and inspirational leadership.

Industry Board Experience: Please describe any current or past industry board experience, including your role, strategic contributions, and any measurable outcomes.

Mussington is currently on the advisory boards of two companies in Canada: the advisory board of Red Canari, a cybersecurity and professional services firm based in Ottawa; the advisory board of SecDEV ZeroPoint, a consultancy that analyzes threats to online privacy and identifies foreign cyber surveillance activities.

Skills and Expertise: Please describe specific areas of expertise you would bring to the Board and apply to the organization’s strategic planning.

Mussington’s expertise is in U.S. government policy-making in the cybersecurity and critical infrastructure protection areas. He has served in senior positions at the DoD and White House, with oversight and policy making roles relating to the Department of Homeland Security, the Department of Transportation, and the Intelligence Community.

Your Goals and Objectives: Why are you interested in serving on the (ISC)² Board of Directors, and where would you like to lead (ISC)² as a Member of the Board of Directors?

Mussington is interested in serving on the (ISC)² Board of Directors because he feels an obligation to give back to the community. He feels that cybersecurity is an issue at the heart of many of the most vexing public policy problems facing U.S. and international communities. Cyber capabilities bring not just problems, but also empower solutions.
His goals as a member of the Board of Directors would be to contribute to the future vision of (ISC)² as a dynamic element of a renewed professional organization allocating its resources and expertise to the betterment of both its members and to the community of companies and governments that they serve.

(ISC)² Strategic Contribution: What would you like to see done to improve (ISC)²’s strategic contributions to the information security community?

Mussington is seeking a more unified approach to public messaging and risk communication, positioning (ISC)² as a leading commenter and shaping instrument to improve public understanding of cybersecurity risks, risk management practices, and the ethic of “do no harm.”. He also wants (ISC)² to reinforce its already apparent role as a transmitter of subject matter expertise in the cyber area to a new generation of specialists - raising the level of public understanding of cyber challenges and shaping the selection of policy and technical responses based on best practices, sound judgment, and rigorous analysis of empirical data.

Regional and Cultural Perspective: Please describe any specific regional or cultural perspectives you may bring to the Board based on living and/or working in various regions of the world.

As an African-American CISSP, Mussington is attuned to the importance of diversity in the (ISC)² membership, and wants to expand and enhance the organization’s reach to new communities through structured outreach and novel messaging that leverages social media platforms and the already excellent baseline platform of conferences and continuing education. As an immigrant from the U.K. and Canada, he has a unique background both academically and personally providing a different perspective on many issues.

Professional Recognition: Please detail any recent or notable professional or peer recognition, including recognition of your skills, strategic contributions, or trust. Also include public speaking, authorship of notable books or papers.

Mussington was appointed to the National Security Council Staff by President Obama in 2011, serving at the White House until the beginning of 2013. Prior to this position, he was selected by then U.S. Defense Secretary Robert Gates to serve as Senior Advisor for Cyber Policy at the Office of the Secretary of Defense, serving there from 2010-2012. In 2010, he was named a Cyber Visionary by Black Engineer magazine.

Information Security Experience: If you have specific information security experience you feel would be relevant to the board, please include here.

As CISO at the Bank of Canada, Canada’s central bank (analogous to the U.S. Federal Reserve), Mussington liaised with counterparts at the Bank of England, the Bank of the Netherlands, and at the U.S. Department of the Treasury. Analysis of cyber risk as a component of operational risk was his central activity, and since then he has continued to research the financial sector cyber risk management guidance. His role at the U.S. DoD included assisting in the setup of USCYBERCOM in 2010, and in the writing of policy for defense support to civil authorities and the private sector in cyber defense. Mussington obtained his CISSP certification after working in these roles, benefiting from the framework that the standards-based curriculum provided. He saw the value of this frame of reference in DoD and has since used this valuable framework in both academic and consulting venues.

Leadership or Management Experience: Please describe any relevant leadership or management experience in any part of your professional career.

Progressing in his career from analysis tasks to program management, and senior executive management roles - and being appointed to the U.S. Government’s Senior Executive Service in 2010, Mussington’s leadership experience is varied and vast. His focus is on achieving results through both rigorous analysis and incentivized business cultural change. His diverse experience has given him a unique perspective on the requirements for success in challenging public and private sector organizations.

Volunteer Experience: What experience do you have working as a volunteer, including charitable organizations?
Mussington serves as a mentor to students in his role as Professor of the Practice at the University of Maryland. He is also a member of the academic journal editorial board for the journal Connections, published by the Partnership for Peace Consortium, a North Atlantic Treaty Organization (NATO) affiliate. than has been possible in my career to date.
Lori O'Neil, CISSP
Country/Region: USA

Bio: Lori Ross O’Neil is a researcher in control systems cybersecurity at the Pacific Northwest National Laboratory (PNNL) in Richland, WA (U.S.), a Department of Energy (DOE) lab. Her work has focused on protection of a variety of critical infrastructure sectors with a primary focus on energy. She has supported DOE, NNSA, DHS, IAEA, NRC, NERC, UNICRI and private industry and been a PNNL researcher for 20+ years making her familiar with a broad range of the industry’s leading multidisciplinary cyber and cyber-physical security programs. O’Neil has extensive experience working collaboratively with colleagues from international and domestic national laboratories, government agencies, and scientific organizations and has a passion for work with challenges involving diverse groups working towards a common goal. She volunteers regularly in STEM education and workforce development with a focus on cybersecurity for all ages. Prior to coming to PNNL, O’Neil worked at National Aeronautics and Space Administration (NASA) doing both flight test and engineering manufacturing in support of space vehicle programs. Her degree is in Computer Science and she holds CISSP and PMP certifications.

Experience in Business Strategy: Please detail your experience in managing a business or business unit, with special emphasis on strategic planning.

In 2000 O’Neil had the good fortune to be part of the establishment of the first CIO’s office at PNNL, staffed by the CISO, deputy CISO and support staff. This group started with just two and has grown to 20 professionals that are helping to shape the cybersecurity strategy for a large research organization. They have laid the foundation not just for a cyber secure culture at the lab, but in the way collaborators, customers and peers see the organization as one that takes cyber seriously and implements it throughout the lifecycle of all of its research products. While still at PNNL, she later returned to cyber research from this endeavor, focusing on the protection of our national critical infrastructure, primarily the electric grid. O’Neil has spent the last eight years submitting proposals, writing papers, serving in the role of project manager and principle investigator of cyber focused research all to shape and grow the PNNL and DOE’s strategy of national critical infrastructure protection.

Professional Education: Describe any professionally-relevant higher education and/or professional education experience, training and certifications.

In addition to her bachelor’s degree in Computer Science, O’Neil is a graduate of the PNNL Management Skills Development Program, a three-year highly selective program to produce those intended to drive and shape business strategy at the lab for DOE and its customers. She also holds a certificate in Artificial Intelligence Knowledge Engineering, is a certified DOE Training Instructor, Agile Scrum Master, and holds a post-secondary teaching credential for California state.

Industry Board Experience: Please describe any current or past industry board experience, including your role, strategic contributions, and any measurable outcomes.

To ensure research for the Department of Energy is relevant and of value to the intended user community, the DOE requires an Industry Advisory Board (IAB) to be part of each project. Establishing, leading, maintaining and gaining consensus of these IABs is something O’Neil has been doing for many years to ensure research successfully moves in the direction most beneficial to the electric industry with a common outcome of making the electric grid more cyber secure. One of the most relevant and impactful boards she has been a part of in recent years was the Energy Sector Control Systems Working Group (ESCSWG) which developed and published the Cybersecurity Procurement Language for Energy Delivery Systems.

Skills and Expertise: Please describe specific areas of expertise you would bring to the Board and apply to the organization’s strategic planning.

O’Neil has a passion for work with challenges involving diverse groups working towards a common goal. To gain that end, she has a strong commitment to ensure everyone’s voice is heard. Working in cybersecurity research on difficult technical problems has given her the patience and ability to hear diverse viewpoints and ideas without judgement and turn these into well-developed plans and approaches that can be conveyed so everyone understands the intended goal and can work to achieve them in a well thought out way. Often someone has a problem that seems insurmountable, but breaking it down into manageable pieces, with regular communication and feedback, gives all involved a strong sense of ownership, and the challenge a greater chance of success.

(ISC)² Strategic Contribution: What would you like to see done to improve (ISC)²’s strategic contributions to the information security community?

O’Neil’s passion is mentoring individuals to become cybersecurity professionals with the intent that they will become cyber evangelists for specific sectors, for her being energy and the protection of the national critical infrastructure. She likes the specialized certifications that (ISC)²has been developing and would like to see more. She would like to see more to focus members in specific cyber areas. She feels that these are common interests that can unite our members across geographical boundaries.

Regional and Cultural Perspective: Please describe any specific regional or cultural perspectives you may bring to the Board based on living and/or working in various regions of the world.

O’Neil has had the privilege to teach cybersecurity in more than a dozen countries, to many skill and age levels. While she may go in with “North American” pre-conceived ideas about how the training will happen or what the students know, she is always surprised and humbled at how everyone’s goal is to do the best with whatever they have to work with. She has been in cybersecurity for more than 15 years and being able to work with diverse groups, whether to a group of school children during Engineer’s week or senior IT professionals, to share expertise and provide resources is truly a privilege. She has also found that being a woman with many years of cybersecurity experience, brings a unique perspective to any situation. She encounters young women consdiering going into engineering, computer science or information security as a profession and has been pleasantly surprised to find that there are women who have been doing this for a long time, often longer than they have been around. This gives them confidence that they too can succeed and affect change in this area. O’Neil enjoys being their cheerleader and encouragers to stay with their goal, no matter how difficult it seems now. She was able to persevere and so will they.

Professional Recognition: Please detail any recent or notable professional or peer recognition, including recognition of your skills, strategic contributions, or trust. Also include public speaking, authorship of notable books or papers.

Over the years at PNNL, O’Neil has received several Outstanding Performance Awards for contributions and leadership to projects and programs of strategic business importance. She has had the opportunity to speak and present her work at many venues and in publications including:

PNNL’s Energy Cyber Security Capabilities and Impacts • , Immersive Laboratory Training for Iraqi Universities: Webinar 3 Information and Knowledge Security for Chemical Threats

Cybersecurity for Department of Defense Microgrids: An Army Perspective

DLA Energy World Wide Conference

Cybersecurity Threats, Consequences, Assessment and Protection Barrett

Defense Logistics Agency Energy Conference

Online Safety for Personal Protection

Security & Privacy, IEEE (Volume:12, Issue: 3) June 2014.

Book chapters:

Implementing an Information Security Program, Glantz CS, JD Lenaeus, GP Landine, LR O'Neil, R Leitch, C Johnson, JG Lewis, and RM Rodger. 2017. "Implementing an Information Security Program."

In Cyber and Chemical, Biological, Radiological, Nuclear, Explosives Challenges: Threats and Counter Efforts, ed. M Martellini and A Malizia, pp. 179-197. Springer, Cham, Switzerland. doi:10.1007/978-3-319-62108-1_9

Use of Deception to Improve Client Honeypot Detection of Drive- by-Download Attacks, Popovsky B, JF Narvaez Suarez, C Seifert, DA Frincke, LR O'Neil, and CU Aval. 2009.

"Use of Deception to Improve Client Honeypot Detection of Drive-by-DownloadAttacks." In Foundations of Augmented Cognition Neuroergonomics and OperationalNeuroscience, pp. 138-147. Springer, Berlin, Germany.

Process Control System Security Metrics -Requirements for an Effective Program, Glantz CS, and LR O'Neil. 2007. "Process Control System Security Metrics -- Requirements for an Effective Program." In First Annual IFIP WG 11.10 International Conference on Critical Infrastructure Protection.

Information Security Experience: If you have specific information security experience you feel would be relevant to the board, please include here.

O’Neil has been involved with information security work since 2000. Prior to that, she had established and managed a Unix group for research support. This was the infrastructure of the PNNL research community and provided her with a strong foundation of technical skill which was invaluable in establishing technical controls back before security controls were easily purchased such as firewalls, networks, scanning, backups, asset tracking, etc. This early experience of having to develop capabilities gave her the skills to help build a cybersecurity program from the ground up, the technical security controls, training of users, and establishing policies and procedures. In the early 2000s, long before there was Microsoft’s Patch Tuesday, she established a Security Advisory Review Group to review patches available for all operating systems, determine priority to install, test approach, planned outage, and contingency plans. This group became so efficient at reviewing fixes that Security Advisory Review Tool was developed to review and approve patches via a voting method and install at the next outage. This tool was later implemented at other national labs. This information security experience served me well when moving into research of protection of the national critical infrastructure. She was able to apply the planning process to research and include safety and security throughout the research lifecycle.

Leadership or Management Experience: Please describe any relevant leadership or management experience in any part of your professional career.

O’Neil has project or technical leader on many research projects over the years including:

PNNL manager for Cyber Resilient Energy Delivery Consortium (https://cred-c.org/) including serving as industry workshop and summer school chair. This is a consortium made of up academia (10), national research laboratories (2) and industry.

PNNL manager for Timing Authentication Secured by Quantum Correlations (https://web.ornl.gov/sci/qis/TASQC.shtml) establishing one of the largest software defined radio testbeds in North America. This two-year project spans multiple national labs and is guided by an industry advisory board.

PNNL manager of the Secure Power Systems Professional for Workforce Development which developed job roles and identified knowledge, skills and abilities to hire and grow cybersecurity energy professionals. This work was guided by an industry advisory board. O’Neil enjoys mentoring others and community outreach in cybersecurity. She regularly speak at local schools for Engineer’s Week, PNNL Community Speaker’s Bureau, and hosts talks for PNNL staff and visitors on cybersecurity and protection of national critical infrastructure. She alsoregularly volunteers for STEM (Science Technology Engineering and Math) based events such as Hacking Camp for High School Girls, Bring Your Child to Work days, and Capture the Flag (https://cyberdefense.anl.gov) events. She has served as a technical member of the SEPA (Smart Electric Power Alliance) Smart Grid Cybersecurity Committee (https://sepapower.org/community/member-committees-and-working-groups/cybersecurity- working-group/).

About Board Elections

Board Election FAQs Board Election FAQs
Q:
How does the (ISC)² Board of Directors election process work?

A:

The election takes place for two weeks every year. All members in good standing as of the date specified in the election notice and of the date of the election may vote. The Board puts forth several recommended candidates each year, and members in good standing as of the date specified in the election notice may petition to have their names added to the ballot.

Q:
Who is eligible to vote in the Board election?

A:

(ISC)² credential holders in good standing as of as of 08 May 2018 and the date of the election 05 September 2018 can participate in the Board of Directors election process.

Q:
Why are only some Board positions available for election?

A:

Board members are elected to three-year terms, and those terms are staggered so that only one-third of the members stand for election each year. This is consistent with common practices for nonprofit organizations, providing continuity of leadership and stewardship.

Q:
Why doesn't the Board place a call for nominations?

A:

Early in the year, the Board begins looking for potential candidates for the Board. This review begins by asking for suitable nominations from its various advisory boards and committees. This search typically yields approximately 25 potential candidates. The Nominations Committee then spends time vetting the candidates against various criteria listed below. This nomination and vetting process ensures that candidates have demonstrated their ability and desire to provide their time and energies to the organization over an extended period of time and are likely to be productive Board members.
Q:
What does the Board look for in candidates it puts forth on its endorsed slate?

A:
When assembling the endorsed slate every election year, the Board is looking for a balance of experience and particular personal characteristics. Prospective Board candidates must:

Have an established record of leadership in the field of information systems security.

Have experience in a managing or directing strategic program across an enterprise.

Have earned the respect and trust of peers in the subject of information security.

Have an established record of advancing the field of information security.

Have not been a salaried employee of (ISC)² or its affiliates.

Possess the ability to: listen, analyze, think clearly and creatively, and work well with people both individually and in a group.

Have the willingness to prepare for and attend four or more in-person board meetings, weekly teleconferences and committee meetings, ask questions, take responsibility and follow through on a given assignment, and read and understand financial statements.

Create opportunities for (ISC)².

Have a commitment from his or her employer to support the time off from work required to support this commitment.

Have a willingness to cultivate and recruit future Board members and other volunteers.

Possess honesty, sensitivity to and tolerance of differing views, and a desire to serve as a member of a team.

Be friendly, responsive, and patient in dealings with fellow Board members, and possess a sense of humor.

Adhere to the (ISC)² Code of Ethics.

Promote the agreed collective Board opinion above their own personal views.

Advocate for the organization. Work for change or acceptance where organizational views do not mirror those of the Board member.

Refrain from bringing the organization into disrepute through personal actions or words.

Qualify for eligibility based on the current (ISC)² Bylaws.
Q:
What selection criteria does the Board Nominations Committee use?

A:

The primary criteria used by the Nominations Committee are a matching of potential candidates to the ‘Experience and Personal Characteristics’ described above. The Committee will not nominate anyone whom the members feel, or know from experience, cannot meet these requirements. Above all, the Board is concerned with how well the membership will be served through the work and responsibilities of their proposed nominees.

Q:
Can (ISC)² members nominate others for Board election?

A:

Yes. As detailed in the (ISC)² Bylaws, the name of any qualified person who agrees to serve if elected may be submitted by a signed, written petition, of at least 500 members in good standing as of the date of the election announcement, to the Board at least 60 days in advance of the start of the election.

Q:
Why do the Bylaws set 500 members in good standing as the requisite number for the petition process?

A:

When the membership ratified the current Bylaws, they determined one percent was seen as a low enough number that could reasonably be achieved by any member, particularly given that signatures could be electronic and the numerous mediums that are available, both official and unofficial, for gathering those signatures. The Bylaws set a number that would not be so small as to make the process so easy as to be perfunctory and not accurately reflect the size of the organization but at the same time not so large as to be an impediment.

Q:
Does (ISC)² notify the membership when and how to recommend Board member candidates or prepare a petition for candidacy?

A:

While (ISC)² is not required to notify the membership of any deadline pertaining to the petition process according to its Bylaws, (ISC)² notifies its members of petition procedures and deadlines every year. The Bylaws provide that petitions for names to go on the official ballot must be received no later than sixty (60) days prior to the election in time for the Board to ensure that they are otherwise qualified and agree to serve if elected and to place them on the official ballot. Eligible members may vote for any qualified candidate who agrees to serve.
Q:
What are the instructions for submitting petitions* to nominate a Board candidate?

A:
To submit a petition, follow these steps:

No later than the deadline, submit a written or electronic petition to (ISC)², containing the signatures of no less than 500 (ISC)² members who are in good standing.

For electronic petitions, the candidate must submit an e-mail that contains (a) original encapsulated emails from supporters using their e-mail address of record and providing their (ISC)² member ID number; and, (b) an Excel spreadsheet listing of all such names with corresponding email address of record and (ISC)² member ID number.

All petitions will be verified to ensure that they meet all of the requirements. If yours does not, we will notify you as soon as possible, giving you the opportunity to resolve the matters that prevented your first submission from being accepted and submit a corrected petition.

If someone else nominates you, you may decline the nomination.

*NOTE: (ISC)² does not endorse petitions. It is up to petitioners to promote their own petition and encourage other members to visit the site and "sign" their petition. (ISC)² will, however, send one email message per election year to all members on behalf of any candidate providing a link to more information about that candidate.
Q:
Other than receiving the required number of petition signatures, what determines if a candidate is qualified?

A:

The minimum qualifications, as set forth in the Bylaws, are that the candidate be a member in good standing, have sufficient command of the English language, meet the term limits requirement, and agree to serve if elected. Members may vote for anyone who meets this minimum qualification. See the question titled, "What does the Board look for in candidates?" for more details on candidate qualifications.

Q:
Where should I go if I have questions any about the Board of Directors election?

A:

Contact bodelections@isc2.org.

Board Election Timeline Board Election Timeline

08 May 2018

Announcement of election

07 June 2018

Board slate of nominees and electronic petition procedures announced

07 July 2018, 5:00 p.m. EDT

Deadline to submit petitions to ballot

29 August 2018

Announcement of instructions for electronic voting

05 September 2018, 8:00 a.m. EST

Electronic voting begins

19 September 2018, 5:00 p.m. EST

Electronic voting ends

About Certifications

(ISC)² Certifications

About Training

Training Methods

Study Resources

Profile & Info

Benefits

CPEs & AMFs

News & Resources

Events

Webinars

Board Elections

You Control the Future

Board Slate

About Board Elections

08 May 2018

07 June 2018

07 July 2018, 5:00 p.m. EDT

29 August 2018

05 September 2018, 8:00 a.m. EST

19 September 2018, 5:00 p.m. EST

About (ISC)²

Validate Your Expertise

About Certifications

(ISC)² Certifications

World-Class Cybersecurity Training

About Training

Training Methods

Study Resources

Members Only

Profile & Info

Benefits

CPEs & AMFs

News & Events

News & Resources

Events

Webinars

Strengthening the Cybersecurity Profession

(ISC)² Community

Board Elections

You Control the Future

Board Slate

About Board Elections

08 May 2018

07 June 2018

07 July 2018, 5:00 p.m. EDT

29 August 2018

05 September 2018, 8:00 a.m. EST

19 September 2018, 5:00 p.m. EST