Ron Ross

National Institute of Standards and Technology 

Computer Security Division, Information Technology Laboratory 

100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 

Office: (301) 975-5390 

Mobile: (301) 651-5083 

Official Email: 

Web Site: 



Personal Email:

Ron Ross is a Fellow at the National Institute of Standards and Technology. His focus areas include computer security, systems security engineering, and risk management. Dr. Ross leads the Federal Information Security Modernization Act (FISMA) Implementation Project and Systems Security Engineering Project, which includes the development of security and privacy standards and guidelines for the federal government, contractors, and United States critical infrastructure. He also leads the Joint Task Force, an interagency group that includes the Department of Defense, Office of the Director National Intelligence, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for developing a Unified Information Security Framework for the federal government and its contractors. Dr. Ross previously served as the Director of the National Information Assurance Partnership, a joint activity of NIST and the National Security Agency. He also supports the U.S. State Department in the international outreach program for cybersecurity and critical infrastructure protection. During his military career, Dr. Ross served as a White House aide and senior technical advisor to the Department of the Army. Dr. Ross has lectured at many universities and colleges including Stanford University, Massachusetts Institute of Technology, Dartmouth College, Naval Postgraduate School, Ohio State University, Auburn University, and George Washington University.

Dr. Ross has authored or coauthored many publications on risk management, cybersecurity, systems security engineering, and cyber resiliency. His publications include Federal Information Processing Standards (FIPS) 199 (security categorization), FIPS 200 (security requirements), and NIST Special Publication (SP) 800-39 (risk management), SP 800-53 (security and privacy controls), SP 800-53A (security assessments), SP 800-37 (Risk Management Framework), SP 800-30 (risk assessments), SP 800-160, Volume 1 (systems security engineering), SP 800-160, Volume 2 (cyber resiliency), SP 800-171 (protection of Controlled Unclassified Information in nonfederal systems and organizations), and SP 800-171A (security assessments for nonfederal organizations).

Dr. Ross has received numerous public and private sector awards including the Presidential Rank Award, Samuel J. Heyman Service to America Medal for Homeland Security and Law Enforcement, Department of Defense Superior Service Medal, National Security Agency Scientific Achievement Award, Department of Commerce Gold and Silver Medal Awards, Applied Computer Security Associates Distinguished Practitioner Award, GCN Government Executive of the Year Award, Vanguard Chairman’s Award, Government Technology Research Alliance Award, InformationWeek’s Government CIO 50 Award, Billington Cybersecurity Leadership Award, ISACA National Capital Area Conyers Award, ISACA Joseph J. Wasserman Award, AFFIRM President’s Award, Symantec Cyber 7 Award, SC Magazine’s Cyber Security Luminaries Award, (ISC)2 Lynn F. McNulty Tribute Award, and 1105 Media Gov30 Award. He has also been recognized three-times as one of the Top 10 Influencers in Government IT Security and is a five-time recipient of the Federal 100 award for his leadership and technical contributions to cybersecurity projects affecting the federal government. Dr. Ross has been inducted into the National Cyber Security Hall of Fame, selected as an (ISC)2 Fellow, and inducted into the Information Systems Security Association Hall of Fame receiving its highest honor of Distinguished Fellow.

Dr. Ross holds a Bachelor of Science degree in Engineering from the United States Military Academy at West Point. He is a graduate of the Defense Systems Management College and holds both Masters and Ph.D. degrees in Computer Science from the United States Naval Postgraduate School specializing in artificial intelligence and robotics.

Kevin Morrison

Kevin Morrison is the Managing Director of Enterprise Information Security, & CISO at Alaska Air Group in Seattle, WA. Alaska Air Group has both Alaska Airlines and Horizon Airlines under its umbrella, and Kevin has been fortunate to serve in this role since May 2020. Kevin has held previous CISO roles at Coinstar, PulteGroup, and at Jones Day, which is one of the oldest and largest law firms in the world. His background spans nearly 22 years in IT, with over 16 of them in Information and Cybersecurity. Kevin’s passion for people and security has included building and leading teams focused on incident management, operations, DLP, mobility, forensics, compliance, policy, privacy, and business continuity in innovative and highly regulated environments across public and private industries.

Kevin has had the pleasure to present extensively within the Information Security community and has served on several advisory and governance boards, and in March 2015, was selected by his peers as the ISE® Southeast People’s Choice Award Winner. He holds a B.S. in IT from UMass Lowell, and an MBA from Pacific Lutheran University, while maintaining CISSP, CISM, and CISA certifications.

Cyber Strategy Retreat

Keynote Abstract

“The Strategy of Influence in the Cybersecurity Program”

How do you show up? How do you model, mentor, communicate and collaborate to build trust? It’s no secret that the demands of a CISO are not for the faint of heart. Between carefully walking a tightrope of an ever-changing threat landscape and balancing the need to enable organizations to rapidly innovate and execute, a CISO must creatively influence stakeholders across the organization for the Cybersecurity program to succeed. Without such influence, the ability to build partnerships with your team, peers, customers, the Board of Directors, or key parts of the business can quickly become a lesson learned in what not to do.

In this Keynote presentation, Kevin Morrison, Managing Director of Enterprise Information Security, & CISO at Alaska Air Group will share stories, insights, and recommendations that attendees can take away for building a strategy of influence and improving their security program’s success.

Paige T. Needling



Needling Worldwide 

Paige is the founder and CEO of Needling Worldwide, LLC, a fast-growing cybersecurity firm specializing in standards-based security compliance and certification. Paige has more than 20 years of experience addressing the challenges of network security, data privacy, risk management, and corporate cybersecurity strategy. Paige has been featured in a variety of industry publications and is a frequent speaker at industry symposia. Her entire career has been dedicated to the evolving landscape of information security; and, she is a leader by example, boasting numerous credentials including Certified Lead Auditor for ISO 9001 and ISO 27001. She has led the efforts for multiple organizations in achieving compliance and certification to ISO 27001, ISO 20000, HIPAA, SOC2, NIST, PCI DSS, and CMMC standards. Prior to Needling Worldwide, she served as Chief Information Security Officer for OneAmerica Financial Services, Reverse Technology Group, and San Juan Construction, Inc., Chief Compliance Officer and Global Director of Information Security and Compliance for Recall Holdings, Director of Data Privacy and Information Management for IHG and other Senior Management roles including for The Coca-Cola Company.

Abstract for Cyber Strategy Retreat in Atlanta

“Walking the Talk of Cybersecurity” 

The core concept of the talk? That too many organizations are on the verge of going off the proverbial cliff by neglecting to do the difficult, non-glamorous work beneath the headlines and the furious investments in cyberdefense technology.

As a consultant deeply involved with organizations of every size all across the United States, Paige sees first hand – and from a ‘crow’s nest’ perspective – the troubling disconnects starting to bare their ugly teeth in so many companies. These are organizations trying to do the right thing, which in most cases is throw talk and as much money as they can at perimeter security, authentication protocols and all manner of goods and gadgets that the headlines say will make them safer. And perhaps they will. But, according to Ms. Needling, crucial “basics” are being ignored and they threaten to undermine the “real world” security footing of these organizations. Simple things are always simple to do. Which may explain why so many companies pay lip service, at best, to things like Security Awareness Training for employees – why an ultra-secure office is still wide open to breach from vendors and business partners, either physically entering their building or introducing hack vectors through unsecure (or non-integrated) systems.

Central to this discussion are a series of critical “disconnects” and lack of alignment within organizations, making cybersecurity a top “talking point” for senior executives and Boards who don’t necessarily have the cyber IQ or strategic incentive to connect all the dots down in the trenches. It’s the reason that the CISO still has trouble finding audience with the Board, and why, in most companies, their own employees are still the greatest threat to security.