Sunday, May 29, 2016

Memorial Day Essay: Reborn at Arlington

1,500 US Army soldiers stood on the misty parade field at Fort Meyer waiting for the sun to rise. The leadership had scheduled another morale building yet mandated "fun run" where once a quarter, the entire unit comes together to do PT (Physical Training) in a show of Esprit de Corp and unit cohesion. Since we were all stationed at the Pentagon, many of us had been in the Army for a while. We were a little broken down in the body department and had seen our fair share of these types of events. There we were, at the twilight of our careers, huddled in small groups during the dawn of one more PT morning.

Of course, there was the usual grumbling between the older soldiers asking one another if we were motivated yet and if we had a cup of Esprit De Corps to spare. But there was a sprinkling of young soldiers among us too and their shiny new faces kept us old timers from getting too cynical and fussy.

As the sun poked up above the horizon, the Army's Command Sergeant Major called the gaggle to attention and the formation began to run. The Non-Commissioned Officers (NCOs) led the assemblage in rousing voice and extolled the virtues of Granny [1], My Girl [2] and the C-130 [3]. Below the roar of the singing, just in the background, you could hear the footsteps of the 1500 strong pounding the pavement in syncopated rhythm.

The formation crested the hill overlooking Arlington Cemetery and the vista of Washington DC opened up before us. The Army Colors, at the front of the formation, started their decent towards the Cemetery just as the sun had risen to about the same height as the Washington Monument several miles distant. And still the singing and the pounding drove the formation as it snaked down the hill towards the front gates.

As the colors passed into the Cemetery, like a line of dominoes falling, the singing faded away. One platoon after the other fell silent in mute honor of our fallen comrades-in-arms laid to rest in the National Cemetery. As the voices muted, the only sound you could hear was the constant beat, beat, beat of the run and the Army colors whipping in the slight breeze. Nobody spoke except for the occasional NCO keeping everybody in step with a solid, but quiet, 1 - 2 - 3 - 4, 1 -2 - 3 - 4. It was serene. It was sublime.

Midway through the run, the Command Sergeant Major called the formation to a halt and commanded us to execute a right-face towards the middle of the cemetery. The rising sun had burned off the last vestiges of mist from the manicured lawns. The breeze trickled through the formation’s silence and the Army Colors at the front. And then we all heard it; that mournful sound of a single bugler playing Taps. [4] He began the music low at first; almost whispering the sound through the horn. But slowly, his crescendo wrapped the listener into a cocoon of sadness, memory, and a sense of loss about the lives that could have been. On that misty morning, young and old soldiers alike shed mutual tears as the bugler played on.

When it was done and the silence greeted the end of the song, a chill went down my back. It occurred to me that we were not merely taking a morning jog anymore. We were actually passing in review. These fallen soldiers who performed the ultimate sacrifice for their country were watching us and sizing us up. I hoped that we could pass muster. I had this great desire to let them know that we had the guide-on now and it was in good hands. We would not let them down. I stood a little taller then. As we began to run home, the burden of running was a little lighter. As 1500 boarded the buses to head back to the Pentagon, I realized that this old soldier was less cynical today; less worn for wear. Although I may not have the shiny face of one of those new soldiers, I was reborn this morning. Together, both old and young, we will carry on.

Memorial Day Weekend

This weekend is Memorial Day Weekend. It is a U.S. holiday that originally began in 1856 as a way for local communities to honor the Union soldiers who died in the U.S. Civil War. After WWI, the meaning of the holiday shifted to include all who have died in American wars. In 1971, the U.S. Congress made the remembrance a national holiday. [5]

I wrote the above essay, “Reborn at Arlington,” back in 2000 when I was stationed at the Pentagon and long before the madness of 9/11 kicked in and our Presidents committed our military to over 15 years of war across five different operations [8]. Since then, 6,888 U.S. Soldiers and DOD Civilians have been killed and 52,435 have been wounded in action in this everlasting “War on Terrorism.” [6][7] It is now five years older than the Vietnam War, the former longest U.S. War ever (10 years), and there seems to be no end in sight. [10] The U.S. still has some 6,000 troops deployed in the Middle East at a cost of $2.1 Million per soldier per year. [9]

And you have to ask yourself why? Can you point to one thing that the U.S. got by committing 15 years of blood and treasure to this cause? Can you even articulate what it is we are still fighting in the Middle East for? Supporters of the “War on Terrorism” will point to the assassination of Osama Bin Laden and the execution of Saddam Hussein as two big wins. They will say that we are keeping ISIS at bay. But as the years go by and the cost of the effort continues to rise, we have to ask ourselves when is it enough? How much more do we have to pay in blood and treasure to pursue loosely defined objectives? When is it over? Are we comfortable with the nation conducting a war indefinitely?

As of last year, the U.S. has spent $1.7 Trillion dollars (That is Trillion with a T) on the global “War on Terrorism” since 2001. [11] To give you something to compare that to, 1.7 trillion seconds is ~60,000 years [12] Combine that with close to 7,000 military killed and over 52,000 wounded to get a sense of the total cost to the nation. [6][7][12] The “War on Terrorism” is the sixth largest U.S. war in terms of military killed out of the 12 that the U.S. has fought. And we are not done. The clock is still ticking.

The United States has marked this weekend as a time to honor our fallen soldiers. As President Lincoln said in his Gettysburg Address, “It is altogether fitting and proper that we should do this.” But it occurs to me that instead of taking a day to remember our fallen citizens, that we might make a grander gesture. We might consider demanding that our politicians articulate what we are trying to accomplish in the “War on Terrorism” with more precision. We might consider trying to find a way to bring our military home so that on next year’s Memorial Day, we will not have to add more numbers to the casualty list.

"War on Terrorism" by Operation

Operation Enduring Freedom

The Afghanistan War
From 7 October 2001 to 28 December 2014 [8]
13 Years
2,349 U.S. Soldiers and DOD Civilians Killed [6][7]
20,071 U.S. Soldiers and DOD Civilians Wounded in Action [6] [7]

Operation Iraqi Freedom

The Iraq War
From 19 Mar 2003 to 19 Aug 2010 [8]
7 Years.
4,424 U.S. Soldiers and DOD Civilians Killed [6] [7]
31,952 U.S. Soldiers and DOD Civilians Wounded in Action [6] [7]

Operation New Dawn

Iraq War Transition
From 1 September 2010 to 15 December 2015 [8]
5 Years
73 U.S. Soldiers and DOD Civilians Killed [6] [7]
295 U.S. Soldiers and DOD Civilians Wounded in Action [6] [7]

Operation Inherent Resolve

Military intervention against the Islamic State of Iraq and the Levant
From 15 June 2014 to --- [8]
2 Years +
20 U.S. Soldiers and DOD Civilians Killed [6] [7]
14 U.S. Soldiers and DOD Civilians Wounded in Action [6] [7]

Operation Freedom Sentinel

The Afghanistan Support Mission
From 1 January 2015 to -- [8]
1 Year +
22 U.S. Soldiers and DOD Civilians Killed [6] [7]
103 U.S. Soldiers and DOD Civilians Wounded in Action [6] [7]

Total "War on Terrorism"

From 7 October 2001 to -- [8]
15 Years +
6,888 U.S. Soldiers and DOD Civilians Killed [6] [7]
52,435 U.S. Soldiers and DOD Civilians Wounded in Action [6] [7]

Deployed troops in the Middle East: 6,000 [9]
Cost: $2.1 Million per soldier per year [9]

American War Death Toll [13]

1,000 (Not including the Native Americans): Indian War
1,565: Persian Gulf War
2,260: War of 1812
2,446: Spanish-American War
4,435: Revolutionary War

6,888: "War on Terrorism"

13,283: Mexican War

54, 246; Korean War
90,220: Vietnam War
116,516: WWI

405,399: WWII
498,332: Civil War

[1] "Army Cadence - My Old Granny, She's 91," 19 September 2008, Last Visited 22 May 2015,

[2] "C-130 Rollin' Down The Strip," 20 May 2007, Last Visited 22 May 2015,

[3] "U.S. Army Cadence My Girls A Pretty Girl," 14 July 2008, Last Visited 22 May 2015,

[4] “Montgomery clift trumpet,” From Here to Eternity, Posted 12 March 2007, Last Visited 22 May 2015,

[5] "10 historical facts about Memorial Day," by Allison Sylte, KSDK-TV, St. Louis, Mo. May 23, 2015, Last Visited 23 May 2015, 

[6] "A Guide to U.S. Military Casualty Statistics: Operation Freedom’s Sentinel, Operation Inherent Resolve, Operation New Dawn, Operation Iraqi Freedom, and Operation Enduring Freedom," by Hannah Fischer, Congressional Research Service, 7 August 7 2015, Last Visited 28 May 2016.

[7] "Casualty Status," U.S. DEPARTMENT OF DEFENSE, 27 May 2016, Last Visited 28 May 2016,

[8] "U.S. Periods of War and Dates of Recent Conflicts," by Barbara Salazar Torreon, Congressional Research Service, 27 February 2015, Last Visited 28 May 2016.

[9] "Where in the World Isn't the U.S. Military?" By Bonnie Kristian, U.S. News and World Report, 4 May 2016, Last Visited 28 May 2016,

[10] "These are America’s 9 longest foreign wars," by Adam Taylor, The Washington Post, 29 May 29 2014.

[11] "The War On Terror Has Cost Taxpayers $1.7 Trillion [Infographic]," by Niall McCarthy, Forbes Magazine, 3 February 2015, Last Visited 29 May 2016,

[12] "How to Develop a Sense of Scale," by Kalid, Better Explained, 2008, Last Visited 29 May 2016,

[13] "How many Americans have died in U.S. wars?" BY MEGAN CRIGGER AND LAURA SANTHANAM, PBS - WETA, 24 May 2015, Last Visited 29 May 2016,

[14] “Memorial Day Events,” ABC News, 2014, Last Visited 29 May 2016,

Sunday, August 2, 2015

Book Review: " Go Set a Watchman (2011) by Harper Lee," Book Reviewed by Rick Howard, 1 August 2015

Executive Summary

In Harper Lee’s Go Set a Watchman, Jean Louise Finch as a young woman discovers that racial tensions in the south are not as black and white as she thought they were when she was a young girl, Scout, in To Kill A Mockingbird. Her father, Atticus Finch, is not the paragon of virtue she thought he was either and is in fact a “segregationist,” a “gentleman bigot,” and affiliates “with raving anti-integration, anti-black crazies.” The story pivots on Jean Louise’s discovery of her father’s flaws, her shock at that revelation and the process she goes through to reach a sort of acceptance around the dethroning of her father. Atticus Finch has been my hero since Gregory Peck played him in the 1962 movie. He has always been the literary example I aspired too whenever I encountered my own moral conundrums. This takedown of the character by Harper Lee is a shock for sure. But in the end, Atticus Finch is still my hero. It is kind of a relief to know that even our heroes are not perfect in every way; that you can still admire and emulate a person even though you might not agree with everything he or she believes. This novel makes him more human and I guess I can live with that.


Atticus Finch has been my hero since I first saw Gregory Peck portray the character in the famous movie, To Kill a Mockingbird released in 1962 [1] The scene in the courthouse where all the white people have left the room but the local black people are still in the balcony waiting on Mr. Finch to leave still brings tears to my eyes to this day even after numerous viewings. Atticus’ two kids, Scout (Jean Louise) and Jem, had snuck up to the balcony so as not to miss the show and sat next to the town’s black reverend during the festivities. When Atticus finally gets his things together and begins to walk out, he is oblivious to the black people in the balcony. He does not register that they have all stood up in quiet respect for what he is doing; defending a black man who is accused (wrongly) of raping a young white woman. Scout, Atticus’ daughter, is the only person in the balcony who did not stand as Atticus begins to walk out of the courtroom. The black reverend turns to her urgently and says, 

Miss Jean Louise. Miss Jean Louise, stand up. You’re father is passing. [1]

Bill Walker, the actor who played the reverend, captured completely in just 12 words and silent facial gestures the sentiment of the movie; that Atticus Finch was a great man, an honorable man and a man whose example we should all aspire to. Gregory Peck himself said that Bill Walker’s small but beautiful performance wrapped up the Academy Award for him. [2] 

But it was not until I read Harper Lee’s book when I was much older that I understood the significance of Atticus Finch as a character and as a hero. [3] 

One of my favorite scenes from the book captures his essence. The next-door lady, Miss Maudie, is talking to Atticus’s son about the significance of the court case to the town and to his father.

“I simply want to tell you that there are some men in this world who were born to do our unpleasant jobs for us. Your father’s one of them.” 

“Oh,” said Jem. “Well.”

“Don’t you oh well me, sir,” Miss Maudie replied, recognizing Jem’s fatalistic noises, “you are not old enough to appreciate what I said.”

Jem was staring at his half-eaten cake. “It’s like bein’ a caterpillar in a cocoon, that’s what it is,” he said. “Like somethin’ asleep wrapped up in a warm place. I always thought Maycomb folks were the best folks in the world, least that’s what they seemed like.”

“We’re the safest folks in the world,” said Miss Maudie. “We’re so rarely called on to be Christians, but when we are, we’ve got men like Atticus to go for us.” [3]

Atticus Finch has been my hero for as long as I can remember. When I run into moral decisions in my own personal life, I have always asked myself, “What would Atticus Finch do?” I don't always follow his advice, but after and without fail, I realize that I should have.

When the word started to leak out that Harper Lee had written a sequel, Go Set A Watchman, [4] and that she reveals that Atticus Finch is really a closeted racist, I was floored. How could she? How could it be possible that the man she painted so vividly and so beautifully as the modern example of what a man should be -- what men should aspire to be – could become such a hated thing?


The title of the book comes from the bible: Isaiah 21:6.

For thus hath the Lord said unto me, Go, set a watchman, let him declare what he seeth. [5]

According to Wayne Flynt, a minister and one of Lee’s longtime friends,

'Go Set a Watchman' means, somebody needs to be the moral compass of this town.” [6]

In the original, To Kill a Mockingbird, Atticus is exactly that. Scout as a young girl admires everything about her father and only a few within the town -- Miss Maudie, the sheriff and the judge – understand the full ramifications of that. To a young Scout, he is a paragon of virtue in everything that he does and every moral question that he confronts is precisely black and white.

In Go Set a Watchman, Atticus still sits at his post as a guardian of the town, but Jean Louise, now a young woman, discovers that he is not the perfect paragon that she had built him up to be. He is a not a god, he is a man; a really good and decent man but he is a man all the same with all the flaws that go with the territory and an understanding that there is a lot of grey area between those two black and white poles. Jean Louise discovers that her father does not actually believe that the black man is an equal to the white man, at least not in the negro’s current state at the time of book. Atticus is a “segregationist,” a “gentleman bigot,” and affiliates “with raving anti-integration, anti-black crazies,” [7]

During an interview with David Green on NPR, poet Natasha Trethewey said that Atticus believes

“… in a kind of limitation of African-Americans, that they are and were at that time a people in their infancy, the idea that we had to go slow because these people weren't really ready for it. They weren't really ready to vote. They weren't really ready to go to school with white children.” [8] 

The plot of Go Set a Watchman pivots on Jean Louise’s discovery of that notion about her father, her shock at that revelation and the process she goes through to reach a sort of acceptance of that dethroning of her father.


I am not sure how I feel about the idea that Atticus Finch is not perfect. On the one hand, it was easy for me to point to his literary example as a barometer for what it means to be man. On the other, it is kind of a relief to know that even our heroes are not perfect in every way; that you can still admire and emulate a person even though you might not agree with everything he or she believes. In the end, Atticus Finch is still my hero. Harper Lee’s Go Set a Watchman makes him more human and I guess I can live with that.


[1] "To Kill a Mockingbird (8/10) Movie CLIP - Your Father's Passing (1962) HD," Movieclips, posted 27 May 2011, Last Visited 1 August 2015,

[2] "Bill Walker Biography," IMDB, Last Visited 1 August 2015,

[3] "To Kill a Mockingbird," by Harper Lee, Published 1960 by Harper Perennial Modern Classics , Last Visited 1 August 2015

[4] "Go Set a Watchman (To Kill a Mockingbird)," by Harper Lee, Published July 14th 2015 by Harper, Last Visited 1 August 2015 

[5] "King James Bible: Isaiah 21:6," The Official King James Bible Online, Last Visited 1 August 2015, 

[6] "'Go Set a Watchman': What does Harper Lee's book title mean?," by By Greg Garrison, AL.COM, 5 February 2015, updated 13 July 13, Last Visited 1 August 2015,

[7] "Harper Lee, Atticus Finch and Go Set a Watchman: What the world is saying," by John Hammontree,, 20 July 2015, Last Visited 2 August 2015,

[8] "The Meaning Of A Hero Cast In Shadow, In Harper Lee's 'Go Set A Watchman,'" by DAVID GREENE, NPR, 14 July 2015, Last Visited 2 August 2015,

Friday, July 17, 2015

Cybersecurity Canon Candidate Book Review: "Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats (2011)," by Will Gragido and John Pirc

Executive Summary

Cybercrime and Espionage, published in 2011, is a book that was ahead of its time. The authors were pushing the envelope in terms of how the security community should think about advanced threats. However, almost five years later, there is not enough in here to make the book Canon material. Gragido and Pirc present some stimulating ideas, but in the end, the security community has not adopted many of them. My recommendation is to read this book if you are interested in how our community has evolved in terms of thinking about adversary campaigns. However, if you are looking for a state-of-the-art book about cybercrime and cyber espionage, this is not it.


Will Gragido and John Pirc published this book in February 2011 — the year after the commercial industry experienced its wake-up call in terms of cyber espionage: Operation Aurora. [1] Aurora refers to the adversary campaign launched at Google and other commercial organizations that was designed to steal intellectual property, collect information on human rights activists, and gather intelligence regarding on-going FBI wiretap operations. [2] What made Aurora notable was Google’s reaction to it. They went public and accused the Chinese government of being responsible for the attacks. Before Aurora, most commercial organizations would not admit that they had been breached, even though nation states had been targeting commercial organizations for at least a decade. Business leaders worried that admitting a breach would significantly affect the bottom line. After Aurora and Google’s public mea culpa, it became easier for other commercial entities to admit that they had been breached. Fast-forward to today, and public breach notifications are so common that it is difficult to keep up with them all.

But this was the beginning. Before Aurora, the only significant cyberthreat to the commercial world at the time was crime. After, cyber espionage became something that we all had to worry about. This is the context for the book: defining cybercrime and cyber espionage as motivations — what makes them different and what makes them the same.


The two authors, Will Gragido and John Pirc, are experienced cybersecurity professionals, and it is clear that they know what they are talking about; but the book is a bit disorganized in terms of who the target audience is. The content is a mix of introductory and advanced material. However, I did not see that the book had a through line. The authors’ analysis of the cybercrime world is at the introductory level. If you want a more in-depth book on the same topic that was published around the same time, consider Kingpin, written by Kevin Poulsen. [3] If you are looking for something a little more recent, consider Spam Nation by Brian Krebs. [4] The espionage material is more advanced, but if you want to go deeper, consider Kim Zetter’s Countdown to Zero Day [5] or Richard Bejtlich’s The Practice of Network Security Monitoring. [6]

I do give the Gragido and Pirc credit though for covering some advanced ideas ahead of their time that have not really become popular until just recently. One idea that I really like is that commercial organizations should build their own intelligence teams to track adversary campaigns. They published the book almost five years ago, and this was not universally accepted at the time. It is not universally accepted today either, but more and more organizations are starting to understand the value of such teams. As an aside, this is one of the reasons I got hired at Palo Alto Networks: to build an intelligence team that we eventually called Unit 42.

Gragido and Pirc push their own intelligence model called MOSAIC: Motive, Awareness, Open Source Intelligence Collection, Study, Asymmetrical Intelligence Correlation, Intelligence Review and Interrogation and Confluence. It is a good framework for an intelligence analyst; unfortunately, the model has not really caught on. Most intelligence organizations — the CIA, the FBI, and the NSA, as well as Unit 42 — use a model called The Intelligence Cycle. [7][8] They are basically the same thing, but the MOSAIC model has more detail.

The authors introduce a new phrase called Subversive Multivector Threats (SMTs), a sort of superset to what the cybersecurity community used to call the Advanced Persistent Threat (APT). They even explain the origin of the APT phrase, a phrase the military had been using for almost a decade in an UNCLASSIFIED setting to mean anything that involved Chinese government-sanctioned cyber espionage. Gragido and Pirc were ahead of their time, understanding that the community needed another name to label similar attacks that did not originate from China. Thus, they came up with SMTs, but the community has not embraced that term. We have evolved the APT phrase to include everything instead. 

Another advanced idea presented that I really liked was the concept that there are humans behind these attacks. Tools do not attack our systems. Humans — often organized into groups — attack our systems, and they use tools to accomplish some goal. These adversary groups can be rated in skill level from novice to expert and have motivations like cybercrime and cyber espionage; and it helps defenders do a better job by understanding that context, according to the authors. I wholeheartedly agree. But today, I think we can expand that motivation list to include hacktivism, cyberterrorism and cyberwarfare, and I thought their definitions of hackers’ maturity levels were not definitive enough to be useful. 

Also, Gragido and Pirc introduce a two-tiered categorization scheme for adversary campaigns, where Tier – 1 campaigns target 

… air-gapped networks or networks that would be considered highly secured, such as those of power companies (supervisory control and data acquisition or SCADA networks), governments, and defense organizations. [9]

Tier – 2 adversary campaign plans are all other APT campaigns. This two-tiered system seems ill-conceived today. The security community considers SCADA networks in general, and power companies in particular, as being at least 10 years behind the rest of the community [10]. And government networks have proven to be even less secure than most commercial organizations, except for maybe the intelligence community’s networks and some select defense networks. [11] I do not see a need for this two-tiered system in today’s threat environment.

One last advanced idea that I really liked was that threat prevention is possible. There has been a trend in the industry these past five years where security leaders have thrown their hands in the air saying they cannot possibly stop the APT, and that it is better to concentrate their precious resources solely on detection and mitigation. This is just plain wrong, and Gragido and Pirc do well to point that out. If I can prevent 90 percent of all attack campaigns because most adversaries use known techniques, why not do it? That lets me concentrate my resources on finding the unknown techniques. Detection and mitigation is important, but these activities should be balanced with a robust threat prevention program. Even in 2011, Gragido and Pirc asserted this philosophy.


Cybercrime and Espionage is a book that was ahead of its time. I give the authors credit for pushing the envelope as to how the security community’s thinking around advanced threats should evolve. If you read it when it was published, it would have stimulated your thought process around your own security program. But almost five years later, there is not enough in here to make the book Canon material. Gragido and Pirc present some stimulating ideas, but in the end, the security community has not adopted many of them. My recommendation is to read this book if you are interested in how our community has evolved in terms of thinking about adversary campaigns. However, if you are looking for a state-of-the-art book about cybercrime and cyber espionage that will stand the test of time, this is not it.


Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats, is a Cybersecurity Canon Candidate. Please visit the official page sponsored by Palo Alto Networks to read all the books from the Canon project.


[1] "Google Hack Attack Was Ultra Sophisticated, New Details Show," by KIM ZETTER, Wired Magazine, 14 January 2010, Last Visited 5 July 2015,

[2] "Google Aurora Hack Was Chinese Counterespionage Operation," by Mathew J. Schwartz, Information Week: Dark reading, 21 May 2013, Last Visited 5 July 2015

[3] "The Cybersecurity Canon: Kingpin," by Rick Howard, Palo Alto Networks, 11 February 2014, Last Visited 9 July 2015,

[4] "The Cybersecurity Canon: Read Rick Howard’s First-Look Review of SPAM Nation by Brian Krebs," by Rick Howard, Palo Alto Networks, 17 November 2014, Last Visited 9 July 2015,

[5] "The Cybersecurity Canon: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon," by Rick Howard, Palo Alto Networks, 28 January 2015, Last Visited 9 July 2015

[6] "The Cybersecurity Canon: The Practice of Network Security Monitoring," by Rick Howard, Palo Alto Networks, 10 November 2014, Last Visited 9 July 2015,

[7] "The Intelligence Cycle," Central Intelligence Agency: Kids Zone, Last Visited 9 July 2015,

[8] "The Intelligence Cycle," Federation of American Scientists, Last Visited 9 July 2015

[9] "Cyber Crime and Espionage: An Analysis of Subversive Multi-Vector Threats," by Will Gragido & John Pirc, Syngres Publishing, 7 January 2011, Last Visited 10 July 2015

[10] "SCADA systems: Riddled with vulnerabilities?" by Doug Drinkwater, SC Magazine, 26 August 2014, Last Visited 10 July 2015,

[11] "4 Worst Government Data Breaches Of 2014," by Jai Vijayan, InformationWeek: Government, 12 November 2014, Last Visited 10 July 2015


"APT1 Three Months Later – Significantly Impacted, Though Active & Rebuilding," by Dan Mcwhorter 21 May 21 2013, Last Visited 9 July 2015

"EU Data Protection Directive (Directive 95/46/EC)," by TechTarget, Last Visited 10 July 2015,

"Internet Crime Complaint Center (IC3)," The Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), Last Visited 5 July 2015

"SAFE HARBOR PRIVACY PRINCIPLES," by, Last Visited 10 July 2015,

Tuesday, July 14, 2015

Books You Should Have Read By Now

When I started Terebrate back in January 2010, I always intended it to be a place to put my book reviews on whatever I was reading. Since then, a lot has happened in my professional life. I changed jobs, twice. I presented my collection of cybersecurity book reviews at the annual RSA Conference and suggested that the cybersecurity community ought to have a list of books that we all should have read by now. My current employer, Palo Alto Networks, liked the idea so much that they decided to sponsor it. We ended up creating the the Rock and Roll Hall of Fame for cybersecurity books. We formed a committee of cybersecurity experts from journalists, CISOs, researchers and marketing people who were all passionate about reading. My collection became the the candidate list and for the past two years, the committee, with the help of community voting, has selected books from the candidate list to be inducted into something we are calling the Cybersecurity Canon. It has been very exciting.

This is all preamble to say that I have decided not to duplicate the Canon content on both the Palo Alto Network's Canon Page and the Terebrate sight. I will still post the individual book reviews, but if you want to follow along with what is happening with the Canon Project, please read the Canon page.

Sunday, May 17, 2015

Should Lawmakers Vote to End the National Security Agency’s Bulk Collection of Phone Records?

Yes — absolutely.

Section 215 of the Patriot Act is set to expire on June 1. That provision gives the NSA permission to collect metadata from communications mediums like phone calls. Metadata, in this case, refers to the phone number making the call, the called number, the date and time of a call, and the call’s duration. It does not give the NSA permission to collect any content, such as the actual voices on each end of the call.

From an intelligence perspective, this kind of information is invaluable for finding the needle in the haystack. By drawing phone and email nodal analysis diagrams of suspects (link analysis), intelligence analysts can very quickly find key leaders of terrorist groups. The person using the phone involved in most of the calls, and connecting to the most people, is very likely a key leader in the organization.

So, I get why the NSA wants the capability. However, the Fourth Amendment in the Bill of Rights says:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

Section 215 of the Patriot Act — the bulk collection of metadata — gives the NSA the authority to seize information from U.S. citizens without a warrant and without probable cause. To quote Hamlet, "Ay, there’s the rub."

This debate fundamentally comes down to our country's decision on this one issue: do we care more about liberty or security? The Snowden revelations clearly demonstrate what the country is willing to do to preserve our security. I worry about what we give up as a nation as we pursue this path. How far do we go down that rabbit hole if we commit to it? In the entire world history of governments using spy agencies to collect information on enemies and “frenemies,” without fail, when the state turns its intelligence apparatus on its own citizens, things get ugly quickly. People die. 

I am not suggesting that the U.S. is anywhere close to that extreme position, but Section 215 is a first step across the threshold of this unprecedented rabbit hole. This is how it starts. 

I am not alone in my thinking either. On May 7, the Second Circuit Court of Appeals of the United States (a three-judge panel) held that the Patriot Act's Section 215 "… cannot be legitimately interpreted to allow the bulk collection of domestic calling records." [1] Although the Second Circuit Court stops short of calling Section 215 unconstitutional, it clearly believes that the current interpretation of that section — put forth by the NSA and approved by the FISA Court in secret — does not justify the bulk collection of U.S. citizens’ meta-phone-data. The Christen Science Monitor's Passcode Influences poll agrees too:

"72 percent of Passcode's Influencers – a group of more than 90 security and privacy experts from across government, the private sector, academia, and the privacy community – are calling for Congress to break the standoff and make reforms."[2]

Full Disclosure: I am one of the Passcode Influencers polled.

We tell ourselves: it’s just metadata — what's the harm? But over time, as we keep chipping away parts of the Fourth Amendment, pretty soon we might find ourselves in an Orwellian novel and wondering how we got here.

What's on the table is a chance to reform Section 215 into something we can all be more comfortable with. What that ends up being is anybody's guess. There are many options from both sides of the political aisle, and we have just now begun to discuss it. But, Senate Majority Leader Mitch McConnell introduced legislation on May 7 that would extend Section 215 through 2020, and he invoked a rule to let it go straight to the Senate floor without the usual committee vetting process. In other words, he proposes letting Section 2015 ride without any discussion. It is this kind of behavior that invokes a visceral reaction from lefty liberals like myself worried about liberty vs. security issues. It is one thing to extend the provision, but to extend it without any discussion? That’s Orwellian.

What can you do? First, engage. This is such a complicated issue, regardless of how you think we should resolve it, that there are not many people in the country who possess the wherewithal to understand all the nuances. The security community does. When you get the chance, have an open and honest conversation about the issue. Let’s start a full-throated debate and get the ideas on the table. Second, contact your congressman. The June 1 deadline to let the Patriot Act’s Section 215 expire is rapidly approaching. If you feel strongly one way or another about this issue, now is the time to let your voice be heard.

For myself, I think the smartest thing to do is to revoke the provision and start over. This way, we can jump-start that full-throated debate I was talking about regarding how far we want our intelligence agencies to go down the rabbit hole. The Section 215 deadline is a good impetus to start. US lawmakers should absolutely let Section 215 of the Patriot Act expire on June 1.


[1] "N.S.A. Collection of Bulk Call Data Is Ruled Illegal," by CHARLIE SAVAGE and JONATHAN WEISMAN, The New York Times,
7 MAY 2015, Last Updated 17 May 2015,

[2] "Influencers: Congress should end NSA bulk data collection," by SARA SORCHER, Passcode Influencer's Poll, Last Updated 17 May 2015,

Saturday, February 7, 2015

Book Review: Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (2014) by Kim Zetter

Executive Summary

Operation Olympic Games is the US military code name that refers to the first ever act of real cyber warfare. Many journalists have told bits and pieces of the story since the attacks became public in 2010, but none have come close to telling the complete story. In Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, Kim Zetter changes that situation. She takes an extremely complicated subject in terms of technical detail, political fallout, and philosophical conundrums and makes it easy for the security practitioner to understand. It is a masterful bit of juggling and story telling. It is cyber-security-canon worthy, and you should have read it by now.


Kim Zetter has been at WIRED magazine since 2003 and has become one of the cyber security community’s go-to journalists to explain what is really happening within the space. When I heard that she was writing a book about the Stuxnet attacks, I was thrilled. I knew if anybody could take on this complicated subject, Zetter could. One of the annoying truisms of keeping up with cyber security events in the news is that journalists rarely go back and attempt to tell a complete story. When cyber security events occur —like the Target breach, the Sony breach, and the Home Depot breach to name three — news organization print the big headlines initially and then trickle out new information over the next days and weeks as it becomes available. For cyber security professionals trying to keep up to date on industry news, we rarely get the opportunity to see the big picture in one lump sum. We are not going to get that kind of story in a news article. You need a book to cover the detail, and there have been some good ones in the past. Mark Bowden’s Worm — about the Conficker worm and the cabal that tried to stop it — is one good example.[1] Another is The Cuckoo’s Egg, which is about the first publicly documented cyber espionage attack in the late 1980s.[2] Zetter’s book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon is the latest in the line, and it is really good.[3]

The Story

Operation Olympic Games is the US military code name that refers to the first ever act of real cyber warfare. Many journalists have told bits and pieces of the story since the attacks became public in 2010, but none have come close to telling the complete story. In June 2012, David E. Sanger published an article in The New York Times proclaiming for the first time that the United States, in conjunction with Israel, was indeed behind the infamous Stuxnet malware attacks that targeted the Iranian nuclear enrichment plant at Natanz.[4] Sanger followed that article, along with others, with his book Confront and Conceal: Obama’s Secret Wars and the Surprising Use of American Power.[5] In his articles and this book, he gave details about the cyber operation called Operation Olympic Games, which I consider to be the first act of cyber warfare in the world. Because the story was so new and so complicated, many of the technical details surrounding the attacks did not fully emerge until well after Sanger published his book. I have tried to keep up with the story myself over the years and even presented versions of it at DEF CON[6] and RSA,[7] but I do not have the journalistic chops to tell the complete story, and this is where Zetter’s book shines. Whereas Sanger’s book focused on the US foreign policy implications of offensive cyber warfare using government insiders as the main source, Zetter’s book fills in the technical story behind the attacks by interviewing everybody in the public space who was involved in unraveling the Stuxnet mystery. Zetter writes clearly and succinctly about the timing of key researchers discovering new facts, describes how the researchers determined when the attackers first used key pieces of the attack code, and then feathered those technical events with what was happening in the political arena at the same time. It is a masterful bit of juggling and storytelling.

The Code

Because of Countdown to Zero, we now have a complete picture of how the attack code worked. Zetter goes into great detail about how the malware proliferated within the Iranian power plant at Natanz and after it escaped into the wild. She puts to bed the question of how may zero-day exploits the attackers used in the complete code set, what they were, and how effective they all were. She covers all of the versions of the malware from Stuxnet, to DuQu, to Flame, and to Wiper. She even covers some of the tools of the trade that the researchers used to decipher the code base.


In Countdown to Zero, Zetter explains the significance of the critical and mostly unsecured supervisory control and data acquisition (SCADA) environments deployed in the United States today. These systems automatically control the flow of all power, water, and gas systems used within the United States and throughout most of the world. According to Zetter, 

“There are 2,800 power plants in the United States and 300,000 sites producing oil and natural gas. Another 170,000Bottom of Form facilities form the public water system in the United States, which includes reservoirs, dams, wells, treatment facilities, pumping stations, and pipelines. But 85 percent of these and other critical infrastructure facilities are in the hands of the private sector, which means that aside from a few government-regulated industries—such as the nuclear power industry—the government can do little to force companies to secure their systems.”[3]

In my experience, the SCADA industry has always been at least 10 to 15 years behind the rest of the commercial sector in adopting modern defensive techniques, and Zetter provides a possible explanation for this delay:

“Why spend money on security, they argued, when none of their competitors were doing it and no one was attacking them?”[3]

The significance of that statement becomes obvious when you realize that the same kinds of programmable logic controllers, or PLCs, that the United States exploited to attack Iran are deployed in droves to support the world’s own SCADA environments. The point is that if the United States can leverage the security weaknesses of these systems, then it is only a matter of time before other nation-states do the same thing and the rest of the world is no better defended against them than the Iranians were.

The Philosophical Conundrum

In a broader context, Countdown to Zero highlights some philosophical conundrums that the cyber security community is only now starting to wrestle with. We have known about these issues for years, but Zetter’s telling of the story makes us reconsider them. Operation Olympic Games proved to the world that cyber warfare is no longer just a theoretical construct. It is a living and breathing option in the utility belt for nation-states to use to exercise political power. With Operation Olympic Games, the United States proved to the world that it is possible to cause physical destruction of another nation-state’s critical infrastructure using nothing but a cyber weapon alone. With that comes a lot of baggage. 

The first is the intelligence dilemma. At what point do network defenders stop watching adversaries misbehave within their networks before they act to stop them? By acting, we tip our hand that we know what they are doing and how they are doing it. This will most likely cause the adversary team to change its tactics. Intelligence organizations want to watch adversaries as long as possible. Network defenders only want to stop the pain. This is an example of classic information theory. I first learned about information theory when I read about the code breakers at Bletchley Park during WWII. Because the allies had broken the Enigma cipher, the Bletchley Park code breakers collected German war plans before the German commanders in the field received them, but the Allies couldn’t act on all of the information because the Germans would suspect that the cipher had been broken. The Allies had to pick and choose what to act on. This is similar to what the Stuxnet researchers were wrestling with too. Many of them had discovered this amazing and dangerous new piece of malware. When do they tell the world about it?

The next conundrum involves the national government and vulnerability discovery. Zetter discusses the six zero-day exploits used by Operation Olympic Games in the attacks against Iran. That means that the US government knew about at least six high-impact vulnerabilities within common software that the entire nation depends upon and did nothing to warn the nation about them. If another attacker decided to leverage those vulnerabilities against the United States’ critical infrastructure in the same way that the United States leveraged them against Iran, the results could have been devastating. The nation’s ethical position here is murky at best and criminal at worst. Added to that is the well-known practice of the private sector selling zero-day exploits to the government. Should the government even be in the business of buying weapons-grade software from private parties? Zetter offers no solutions here, but she definitely gives us something to think about.


Zetter fills in a lot of holes in the Stuxnet story. In a way, it is a shame that it has taken five years to get to a point that the security community feels like it understands what actually happened. On the other hand, without Zetter putting the pieces together for us, we might never have gotten there. I have said for years that the Stuxnet story marked the beginning of a new era for the cyber security community. In the coming years, when it becomes common practice for nations-states to lob cyber attacks across borders with the intent to destroy another nation’s critical infrastructure, we will remember fondly how simple defending the Internet was before Stuxnet. Zetter’s book helps us understand that change. She takes a complicated subject and makes it easy to understand. Her book Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon is cyber-security-canon worthy, and you should have read it by now.


[1] “The Cybersecurity Canon: Worm,” by Rick Howard, Unit 42, 4 February 2014, last visited 25 January 2015,

[2] “The Cybersecurity Canon: The Cuckoo’s Egg,” by Rick Howard, Unit 42, 24 December 2013, last visited 25 January 2015,

[3] “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” by Kim Zetter, Published by Crown, 11 November 2014, last visited 25 January 2015,

[4] “Obama Order Sped Up Wave of Cyberattacks Against Iran,” by David E. Sanger, The New York Times, 1 June 2012, last visited 25 January 2015,

[5] “The Cybersecurity Canon: Confront and Conceal,” by Rick Howard, Unit 42, 7 January 2014, last visited 25 January 2015,

[6] “Defcon-19-an-insiders-look-at-international-cyber-security-threats-and-trends,” by Rick Howard, DEF CON 19, 6 August 2011, last visited 25 January 2015,

[7] “Operation Olympic Games Is the Tom Clancy Spy Story that Changed Everything,” by Richard Howard, RSA Conference 2014, 28 February 2014, last visited 25 January 2015,

Tuesday, January 13, 2015

Book Review: Winning as a CISO (2005) by Rich Baich

Executive Summary

The latest candidate for the cyber security canon is Rich Baich’s Winning as a CISO. The roles of the chief information officer (CIO), the chief security officer (CSO), and the chief information security officer (CISO) in the modern enterprise have been constantly changing since we invented the need for such roles in the 1980s and 1990s. By the mid-2000s, the industry had settled on tucking the security function for an organization under the IT function of an organization. In other words, the CISO works for the CIO. But Baich is an innovative thinker. He has looked at how the CISO role has evolved over the years and makes a pretty good case for where it needs to go next. By asking questions about the appropriate supervisor for a CISO, a CISO’s needed skill set, and ways to approach the CISO job function, Baich breaks new ground on how the industry should views these topics. Our industry will be slow to adopt these new ideas, but with the rash of highly publicized and impactful data breaches to the retail sector in 2014, perhaps the industry is ready to start making a change. Reviewing Baich’s book is a good place to start. It is cyber-security-canon worthy, and you should have read it by now.


The roles of the CIO, the CSO, and the CISO in the modern enterprise have been constantly changing since we invented the need for such roles in the 1980s and 1990s. I picked up Winning as a CISO because my boss handed it to me after he met the author, Rich Baich, at a security event. He said that Baich was a smart guy and had some interesting ideas about the modern CISO’s role in today’s environments. In this book, Baich explains some innovative thinking about what today’s CISOs should be responsible for, how they should fit into the organization, and how they might accomplish their tasks once they are established. In order to understand where Baich is coming from, it is useful to review the history of the CIO, CSO, and CISO roles in modern business.

CIO, CSO, and CISO History

The idea of the C-suite did not really materialize until the 1920s when Alfred Sloan, the hugely successful chief executive officer (CEO) of General Motors, decided to distribute profit and loss (P&L) responsibility across his division managers in response to shareholder and regulator demand for more accountability.[1] 

Because of General Motors’ success with this new P&L model, business leaders across the world adopted it for their own organizations. That model lasted some 60 years until the 1980s when CEOs realized that in order to drive organizational change, they needed executives with technical and functional specialties.[1] CEOs began creating new C-level executive positions like chief marketing officers (CMOs), chief financial officers (CFOs), and, yes, CIOs. The idea of a C-level executive dedicated to security did not really emerge until the late 1990s, 10 years after the CIO position had become firmly established in modern business.

Steve Katz became the first CISO in 1995 when Citigroup created the role to respond to a highly publicized Russian malware incident.[2][3] Since then, the security industry specifically and business leadership in general have been thinking and rethinking the need and the responsibilities for such a person. 

The first practitioners came out of the technical ranks. Vendor solutions to mitigate the cyber threat ran on networks and workstations. In order to manage those solutions, it was helpful to have people who understood that world, but this was a new thing for the techies; trying to translate technical risk to a business leader did not always go very well. Security techies have always been, and still are, passionate about their responsibilities. The early trailblazers tended to say “no” to any new project because of the potential security risk. The business leaders did not want to deal with these people who wanted to make organizational decisions with no thought about the bottom line. It became convenient to tuck these kinds of people underneath the CIO organization. CISOs began working for the CIO because, from the C-suite perspective, all of that technical stuff belonged in one basket, and the security people did not know how to talk to the business people.

As business leaders began applying resources to mitigate cyber risk, other areas of security risk started to emerge: physical security, compliance, fraud prevention, business continuity, safety, ethics, privacy, brand protection, etc. The idea of the CSO role began to gain popularity with business leaders because they needed someone to look at the entire business, not just cyber security risk to the business, but general security risk to the business. CSO Magazine launched in 2002 to cater to that crowd.[4]. 

By the mid-2000s, the industry had settled on tucking the security function for an organization under the IT function for an organization. In other words, the CISO works for the CIO. This is not bad per se, and this arrangement works in many organizations. The IT folks generally handle the daily automation functions while the security teams have more of an oversight role in terms of security architecture, policy, risk assessment, and security operations. 

Since then, the industry has been in flux. Not every company is organized the same way. While the CIO role has made its way to the senior executive suite in some companies (Intel Corp. and McAfee to name two), that is by no means the norm. The CSO role is likewise lagging. Both tend to be lodged at the second tier of executives in many companies. And while it is not universal, the CISO tends to work for the CIO.

The Story

All of this history is essential background to the key messages in Baich’s book Winning as a CISO. He published it in 2005 and was quite rightly taking a look at where the CISO role was heading next. He organized the book as a fictional story about an established company in which the CEO had decided to hire his first CISO. His executive leadership team – the CIO, the general counsel, and the chief operating officer (COO) – had to decide what the new CISO’s responsibilities were and where this individual would fit in the organizational structure. Once the CEO made those decisions, the newly hired CISO had to decide how to execute this new role.

The Tech

The book is a quick read, with only 115 pages including the end credits, but it is a primer on what a CISO should do for any organization. In essence, any organization could use Baich’s book as a basic job description for a new CISO hire.

What Are a CISO’s Responsibilities?

When the story’s CEO brought his executive staff together to discuss the new position, he had them develop a list of responsibilities for the new hire. Here is the list:

  • Security Architecture
  • Incident Response
  • Security Awareness
  • Identity Management
  • Security Policy Development and Compliance
  • Due Diligence for Acquisitions and Mergers
  • Risk Management[5]
I think this is a pretty good list of high-level responsibilities. Anything that comes up later that we might want the CISO to do can be easily shoehorned into one of these broad categories. Once the staff agreed to the responsibilities, the next step was to determine which senior executive should own them. In other words, which senior executive should the CISO work for? 

To Whom Does the CISO Report?

All of the senior staff members had their perspectives. The CIO said, “The CISO should report to the IT Department because the focus of information security is related to technology. Information security solves technology related risks.”[5] The general counsel said, “The CISO should report through the legal structure. [The] focus can be placed on compliance.”[5] The COO said, “The CISO will have to collaborate with all departments, and everyone, including the sales team will benefit, but the team member who will need to utilize the resulting information the most will be the COO. A clear understanding of the operational risk factors will enable the successful CISO to present to the COO with a rubric of important options.”[5]

The CEO weighed each of these perspectives and had a few of his own. He said that he did not want the new CISO to have to wrestle with any artificial organizational conflicts because he chose to put the position under one senior executive as opposed to another.[5] He said that putting the CISO under the CIO had a number of problems, but the most important one was that it created a conflict of interest. “Reporting to the CIO would be like putting your boss on report.”[5] The CISO’s job is to make things more secure, and sometimes that job may be in direct conflict with the CIO’s job of making things more efficient. With the CISO under the CIO, the organization automatically weights efficiency needs over security needs, and that obviates the reason to hire the CISO in the first place.[5]

An opposing view comes from Forbes reporter Howard Baldwin. He complained in March 2014 that he did not like recent changes he was seeing within organizations that had broken out the security function to be a peer to the CIO. He says that these CIOs are highly paid executives who can handle competing priorities.[6] In other words, the CIO can handle making decisions between security and efficiency. That is what we pay a person in this position to do.

But that is not the point. In an interview by Jack Rosenberger, Eric Cole -- founder and chief scientist at Secure Anchor Consulting -- speculated on one of the reasons that may have contributed to the Target breach in 2014.[7] Cole said, “It is almost a guarantee that Target had an amazing security team, and they were screaming and yelling about all of the security issues, but there was no advocate who was listening to them and fighting for their cause with the executives.”[8] Cole is pointing out that of all the priorities the Target CIO had to juggle, security lost out. As Brian Krebs reported in the Guardian, “Virtually all aspects of retail operations are connected to the Internet these days: when the security breaks down, the technology breaks down – and if the technology breaks down, the business grinds to a halt.”[9] Before the breach, the pressure to keep the IT infrastructure up and running must have been immense for both the now-resigned CIO and the now-fired CEO. Krebs suggests that in hindsight, because of the breach’s devastating impact to the business, the Target CISO should not have worked for the CIO. It should have been the other way around.[9]

In Baich’s story, the CEO had reservations about putting the CISO under other staff organizations too. He said that putting the CISO under the general counsel “would potentially position the Information Security department as an arm of the audit department.”[5] According to Baich, auditing support is something the new CISO should help with, but based on the responsibilities the executive staff developed, the CISO’s role is much bigger.[5]

The CEO ultimately put the CISO under the COO. To him, it made sense that the CISO position be perfectly positioned to support the entire organization and not one specific staff element. I think this makes sense. If loss associated with security is something that will potentially materially affect the business, it makes total sense to raise the platform of the person in charge of it to have a view of the entire organization and the power to affect change. If that is the case, then what skill sets are needed for the person who takes on that responsibility?

What Skill Sets Does a CISO Need?

Once he decided whom the CISO should work for, the CEO turned again to his senior staff to determine what skill sets would be essential for success. Without fanfare, Baich lists these five attributes:

  • Must have an MBA
  • Prior budget or P&L experience
  • A proven ability to lead an effective information security organization
  • Experience and skill as a change agent
  • Ability to serve as an information security expert for the executive team[5]

The last three skills are fairly standard for many senior job positions in any organization. The first two are where Baich is providing some innovative thinking. Requiring an MBA and P&L experience for a CISO, as a mandatory requirement, is not the common thinking in the industry, but it is spot on for where the industry needs to go. As I said earlier, most CISOs have come up through the technical ranks and have little if any business experience. This is probably the main reason that security teams and business teams have a hard time communicating with each other. By requiring a CISO to have business experience first, Baich flips the typical experience equation on its head. Instead of training highly technical employees to be proficient in business concerns at the mid- to latter parts of their careers, he is suggesting that we take traditional business people and train them to be proficient in managing security operations. 

“If performing vulnerability assessments, configuring firewalls, and performing network forensics makes you happy then becoming Chief Information Security Officer may not be the right career choice for you.”[5]

Just like a traditional business person might find himself or herself as a general manager, product manager, finance officer, or marketing officer, Baich is suggesting we add security officer to the list, and I agree with him.

How Do You Be a CISO?

In Baich’s story, the CEO placed the CISO under the COO in order to give the position a matrixed view of the business. In that kind of environment, how does a CISO succeed? In spite of all the listed responsibilities this CISO has for the organization, Baich says that the most important implied responsibility for the CISO is running his or her organization like a business. The CISO needs to become the general manager of the security program.

“Ultimately, the success of any business, new or old, depends on a leader’s ability to build a team, market and sell the product, and run the business, still meeting the established measurements necessary to effectively operate the business.”[5]

Although the CISO in this story will bring in no revenue, this individual has to demonstrate to the business leadership the value of the position in other ways. The CISO must become a world-class internal marketing person for every aspect of the security program. It is not enough to make the organization more secure. The CISO’s efforts to do so must demonstrably show how the security program is helping the organization grow. 


Baich is an innovative thinker. He has looked at how the CISO role has evolved over the years and makes a pretty good case for where it needs to go next. By asking questions about the appropriate supervisor for a CISO, a CISO’s needed skill set, and ways to approach the CISO job function, Baich breaks new ground on how to think about these topics. Baich published the book in 2005. Back then, there was not a lot of impetus to change the current situation, and I do not see the industry adopting these ideas any time soon. But with the rash of highly publicized and impactful data breaches to the retail sector in 2014, perhaps the industry is ready to make a change. It is obvious that the way we are doing it now is not working. Because of Baich’s innovative thinking about the next step in the evolution of the CISO role, Winning as a CISO is cyber-security-canon worthy, and you should have read it by now.


[1] “The C-suite: Time for version 3.0?” by Eamonn Kelly, Deloitte University Press, 31 March 31 2014, last visited 6 January 2014,

[2] “EVOLUTION OF THE CISO And the Confluence of IT Security & Audit,” by Thomas Borton, ISACA, 13 March 2014, last visited 30 May 2014,

[3] “Prominent Information Security Executives Steve Katz and Michael Barrett Join Fortscale's Advisory Board,” by Fortscale, PR Newswire: Market Watch, 8 January 2014, last visited 30 May 2014,

[4] “Decade of the CSO: Looking back at 10 years of change and progress - and forward to what lies ahead,” by Derek Slater, CSO Magazine, 1 October 2012, last visited 30 May 2014,

[5] “Winning as a CISO,” by Rich Baich, Published by Executive Alliance Publishing House, 2005, last visited 6 December 2014,

[6] “Point/Counterpoint: Who Should The CSO Report To?” by Howard Baldwin, Forbes, 25 March 2014, last visited 28 May 2014, 

[7] “Reporting From the Web’s Underbelly,” by Nicole Perlroth, The New York Times, 16 February 2014, last visited 28 May 2014,

[8] “The Complicated Relationship Between CIOs and CSOs,” by Jack Rosenberger, CIO: Insight, 11 March 2014, last visited 28 May 2014,

[9] “What Target and Co aren't telling you: your credit card data is still out there,” by Brian Krebs, The Guardian, 6 May 2014, last visited 28 May 2014,