To kick off the last few years, I’ve gone through a mental exercise pretending it will be my final year of full-time work. It hasn’t proven true, but it’s still a good exercise. How should I spend my work time? What projects should I finish? Who do I want to spend my time with? What new things should I learn about? Who are the old (?) friends I should reach out to? Where do I want to travel and or speak?
I start the exercise by cleaning off my whiteboard. Technically, it’s a frosted glass dry-erase board. (It took me ten years to stop saying “chalkboard”). The whiteboard is my catchall for ideas, phrases to think about, reminders to self, etc. I copy anything worth saving to electronic storage and then thoroughly clean the board.
But if you look closely, the board is not entirely clear yet. The board also holds the names of people I am paying attention to. Like any cyber industry veteran, I follow the work of the usual impressive suspects and pundits—a special shout-out to Brian Krebs, as well as Chris Novak and the Verizon DBIR team.
But the stray names on the corner of my board are generally lesser known. People I’ve bumped into over the last several decades of my career and whose work or ideas, for various reasons, struck a chord with me. They come and go, but there have been hundreds of people like that, for which I am eternally grateful. Unfortunately, not enough of them know how they have inspired or helped me, and part of my career's last act is to move from gratitude to thankfulness - by reaching out to thank more of these people.
Here are a few of the current names that appear on my board right now. Think of this as a small sample, not a complete list. But I'd rather "name names" and offer credit and thanks than agonize over missing someone.
For many years, I've thought about using data to drive cyber defense recommendations and strategy. This was especially true after I retired from NSA in 2012. I went from an "insider" in the intelligence community to only having access to publicly available data about vulnerabilities, incidents, threats, etc. But rather than a net loss, this was an exciting and constructive challenge. I'll have lots more to say on this later, but several people helped me by generously sharing ideas and inspiring action. While they might not fit the category of "lesser known", I learned a lot from conversations with:
Bob Lord - whose insights helped me think about what became the CIS Community Defense Model, and is currently guiding DHS/CISA in their "Secure by Design, Secure by Default" work;
Roger Grimes (KnowBe4) - one of the industry's most pragmatic thinkers and writers about the use of data in cyber;
and Adam Shostack - whose book "New School of Information Security" caught me at the right time as I considered this topic.
As I thought about data, cyber, and how it should better drive business decisions, I've also greatly benefitted from conversations with:
Lisa Young (Netflix) - who constantly challenges me to think about risk decision-making holistically; and
Evan Francen (FRSecure) - a pragmatic, blunt thinker (see "Unsecurity"), and an indefatigable champion for the cyber underserved.
My long career in public service "feeds my soul" (35 years at NSA as a Federal employee, the rest in non-profit cyber) - I was born for it. But I must also confess that I never had what it takes to be a successful industry entrepreneur. I've known and respect so many of them, but I could not do what they do. And today, when I want to be inspired by their spirit, commitment, and ideas, some of the people I pay attention to are:
Tina Williams-Koroma - I have tremendous respect for her tireless energy and leadership skills;
Tim Teal - one of my NSA teammates, who has gone on to do great work as entrepreneur, leader and all-around straight shooter; and
Julie Michelle Morris - she helps me to see problems (including the self-inflicted ones) and solutions differently, which is a precious gift.
There are So Many Others that I'll save for another time.
--tony
