Blog by Stephen Spagnuolo
A Blueprint for Taking a Leap Forward in CyberSecurity Battlefield Success
Dyn DNS taken down (DDOS). DNC hack (phishing). OMP breach (malware). Not to mention surreptitiously stolen healthcare records and credit card numbers seemingly every minute of every day.
The cyber imperative . . .
- While the joint US private and public digital security ecosystem gains its ‘sea legs’, the cyber bad guys will continue to have their proverbial way with us.
The two prevailing gaps . . .
- A deep national bench strength of existing and next generation cybersecurity leaders and operators, spanning startups to large corporates and across the public-sector space, who possess the requisite skill set to compete and consistently win on the cyber battlefields of today and tomorrow. Our current bench is woefully short.
A mechanism for funneling all the disparate data points—who’s doing what, what’s working, what’s not—that are percolating across our cyber ecosystem daily. Presently it seems we’re bouncing between two extremes, information overload and ignorance.
The macro solution . . .
- Transitioning from a burgeoning industry with still “wild west” market tendencies to a dynamic force that is vastly more interconnected and accessible—dare I say institutionalized?—and yet maintains its core entrepreneurial operating spirit. This is a new kind of war we’re collectively fighting. Unlike all prior engagements to date, sustained battlefield success here will be achieved principally with the private/commercial sector leading from the front. Government agencies will be a key player, but in a primary supporting role.
We have our first ever Federal CISO, Greg Touhill, now in place. An incoming new Administration is seemingly reorienting to a strong security posture, presumably to include digital security. And the Commission on Enhancing National Cybersecurity just released its Report on Securing and Growing the Digital Economy. The stars seemingly are aligned for us to take a generational leap forward . . . now.
Three years ago, in A Call For A National Cyber CounterInsurgency, I challenged our cyber ecosystem to look to and replicate the spirit of Skunk Works, Lockheed Martin Corporation’s research and development unit that was stood up during WWII (and is still thriving, making meaningful impact today) to fast track priority national security assets.
Innovation + Coordination + Education . . . and Investment. These are the key pillars that will support and sustain our relentless pursuit of unified mission . . . to consistently beat the bad guys. It may take a generation to get there. Doesn’t matter; eye on the ball.
Reflecting on Skunk Works’ legendary operating model, let me propose the following blueprint . . .
- The establishment of a National Center for Cybersecurity Coordination & Excellence (NaCCCEx)… nicknamed Triple-C. Structurally this would marry the commercial fundamentals of a Fannie Mae (independent, for profit, government sponsored entity (GSE)) with the interoperability of a Joint Terrorism Task Force (JTTF) with the cyber information sharing best practices of a Security Innovation Network (SINET). (Editorial note: For purposes here, let’s set aside what occurred at Fannie 2006-09 range—when politics and bad policy mucked up what had been a clear and soundly functioning mandate for 70 years. And while Fannie Mae is a publicly listed company, I’d advocate for remaining private over the long haul.)
- NaCCCEx will function as a dynamic commercial cyber engine of growth; one that is closely linked with traditional public sector entities, e.g. DHS, US Cyber Command, etc., but that is clearly separate and distinct from direct government ownership and intervention . . . and importantly is solely responsible for managing its own affairs. It is perhaps appropriate, on this 75th Anniversary of Pearl Harbor, to consider that without America’s massively powerful commercial engine steaming 24/7, militarily the Allies would have been woefully lacking in combating the Axis Powers.
- NaCCCEx will serve as an institutional hub to . . .
- Connect the reams of data points emanating from disparate sources and bridge private sector companies with public sector entities. A pure-play private sector model, with no linkage to the public sector (as is virtually the case today), is not sufficiently effective on a going forward basis.
- Develop and deliver to the market the most capable cybersecurity leaders for future years. This requires a mechanism to attract the best minds in cyber today to educate and train future cyberists. The majority of quality cyber folks are simply not going to work for government, for a whole host of reasons; pay being a big one, but also a generally deep disinclination by many to work for “big brother”.
First and foremost, NaCCCEx is a commercial entity. A vibrant cybersecurity national effort must at its core maintain its commercial spirit. Private and for-profit is the best means to optimize and fast-track cutting edge capabilities. Organizationally it will . . .
- Embody a Co-President leadership structure, comprised of a recently retired Technology CEO—less than 4 years out of a mid-cap or larger organization—and an active duty 3-star General/Flag Officer—uniform of the day is business attire—who will serve 2 year tours, alternating off years. For initial launch, the civilian co-president will remain aboard for a 3rd
- Be staffed by permanent employees and those on secondment from a multitude of organizations emanating from our cyber ecosystem.
- Permanent staff must commit to a mandatory 3-year tour. Those who remain aboard for 5 years will be eligible for a one-time special ‘uber’ bonus, which will be paid on a sliding scale tied to aggregate semi-annual performance marks. Compensation will be pegged to roughly upper 80% range of market.
- Secondment staff will serve 2 year tours, with an option to extend for a third year. No more than 25% of secondment staff will be authorized 3rd year extensions in any one year. Secondment staff will be sourced from, but not limited to: DHS-NCCIC, US Cyber Command, NSA, CIA, FBI, National Cyber Forensics and Training Alliance (NCTFA); state and major metro area law enforcement organizations; overseas cyber partners and other close allies will be called on to “loan” key representatives; National Council of ISACs (NCI); Service Academies’ divisions for cybersecurity studies; major power companies and grid leaders, e.g. Duke Energy, National Grid, PG&E, Con Ed, etc.; all publicly listed cybersecurity companies, e.g. FireEye, IBM, Rapid7, SecureWorks; midcap and boutique cyber firms, drawn from Cybersecurity Ventures’ published quarterly rankings, e.g. root9B, LookingGlass, Cylance, Darktrace; cyber investment professionals from leading platforms such as A16Z, Accel, Bessemer, In-Q-Tel, Intel Capital, KPCB, NEA, Norwest, Sequoia.
- Feature a Visiting Fellows Program that will tap impact-making cyber thought leaders from across the digital security landscape, including such luminaries as Keith Alexander/IronNet, Ed Amoroso/TAG-Cyber, Frank Cilluffo/George Washington University, Rick Gordon/Mach37, Michael Hayden/The Chertoff Group, Shawn Henry/Crowd Strike, David Kimmel/CyberRiskPartners, Evan Kohlmann/Flashpoint, Angie Messer/BAH, Steve Morgan/CyberSecurity Ventures, Hunter Mueller/HMG Strategy, Theresa Payton/Fortalice Solutions, Kevin Powers/Boston College, Robert Rodriguez/SINET, Phyllis Schneck/DHS, Phil Venables/Goldman Sachs, Amit Yoran/RSA.
- Given its stature as a membership organization, derive its funding via a rolling tiered subscription model, tied to blended prior three (3) years profits. Membership will be highly encouraged but strictly voluntary.
- Be granted a special wartime waiver by Congress regarding payment of federal and state corporate taxes. The proceeds for which shall be reallocated to staff annual bonus and co-investment pools.
By charter, NaCCCEx will foster and enhance early stage cyber products and services coming to market via deploying marketing/business development resources to new/emerging technologies, deemed national cyber priorities, to foster growth. An emphasis will be on aggregating and re-marketing derivative technologies from across disparate sources. Priority focus will be oriented to identifying and developing active defense and counteroffense cyber measures.
When it comes to coordination amongst key constituents, we must consider that we’re essentially operating in a new paradigm. The rules to date may apply to a degree; but for the most part we’re traveling down uncharted roads. Legal must of course be involved, but it cannot drive the agenda—this is critical. NaCCCEx will serve as the primary national cyber information hub; and in doing so will pave these new avenues for efficient and effective navigating.
- Public – Private . . . A lot more work to do (too much to detail here).
- Private – Private . . . Highest priority shall be given to feed new-hack events across subscribers in as near real time as possible. Secondly, NaCCCEx will elevate ‘cyber in the know’ awareness amongst subscribers regarding all that’s going on in the way of new-start and emerging companies, new cyber product and services offerings, derivative technologies that may be sourced from failed startups, etc. If it’s found that a subscriber member(s) is mis-using this ‘enhance and protect’ information, something akin to industrial espionage, stiff long-term penalties will result.
- US – Overseas . . . Priority status will be granted to Israel and Great Britain. Israel has been operating on the cyber front lines longer than any other white hat public-private collective, and as a result their innovation and coordination methodologies are unparalleled. Britain is doing some cutting edge stuff of late, both at the national command level and commercially—for instance, see how Bletchley Park is to be transformed to a new cyber university.
Developing and deploying next generation cybersecurity leaders—be they senior corporate staff, government operators, educators—is perhaps the single greatest strategic imperative we face. The bad guys will routinely revise and adjust. To meet and overcome this seemingly never-ending challenge, we must continually develop and deploy great minds who can adapt and excel. Indeed battlefield advantage will be defined by our ability to collectively stay one (and ideally two) steps ahead of the bad guys. NaCCCEx’s training program will comprise . . .
- A 20 month training cycle to develop and deliver next generation cybersecurity leaders to the market. Course curricula will center on: general business unit management essentials; leadership and mentoring skills; effective communication (verbal and written)—up, down and across the organizational structure; risk management fundamentals; c-suite and board of directors’ engagement; select corporate CISO, CSO, COO functions.
NaCCCEx’s co-investment arm (the Fund) will be chartered to Incubate + Accelerate + Aggregate.
- The Fund will be raised via traditional go-to-market channels, e.g. corporate and pension funds, private placement and other private sector sources.
- The Fund shall feature a one-time match by the US Government. I envision budgetary allocation split across relevant Departments, including but not limited to DoD, DHS and Education.
- Notional tax dollars, stemming from net profits on subscription receipts and investment returns, shall be re-circulated to the Fund.
NaCCEx will be the center of gravity of a new-paradigm national cybersecurity collective effort; where a culture of collaboration, excellence and measured risk taking must prevail. Importantly . . . Unlike our putting a man on the moon, where quite literally “failure was not an option” (Gene Kranz, NASA Flight Director); given the pin-point rapidity of cyber, we cannot afford to be stifled waiting for ‘perfect’ solutions . . . A few ‘wrong turns’ to get from here to there is OK.
As published by CSO Online.
About the Author
Stephen Spagnuolo leads the CyberSecurity Leadership Recruitment & Advisory Practice for ZRG Partners, a global executive search firm that embraces data and analytics to underscore the hiring process. He brings over fifteen years of experience recruiting senior and next-generation corporate leaders on behalf of a wide-ranging client base, from leading global investment banks to pre-funded emerging growth companies to a cadre of consultancies of all sizes. A graduate of the US Naval Academy, he formerly deployed to multiple overseas contingencies as a Marine Corps infantry officer.