The emperor has no clothes: the current state of the CISO - RSA conference presentation prep.
I love the RSA Security Conference. It’s held annually, usually in the springtime, in the City by the Bay, San Francisco, my favorite city. I've been attending and speaking there, on and off, for over a decade. It's one of the biggest security conferences of the year. This is not a hacker conference like, say, Defcon1 or Blackhat,2 or even one of the many B-Sides conferences3. The RSA Security Conference is for security practitioners, the unsung heroes who defend their organizations in cyberspace. This is their chance to meet and exchange ideas on the latest developments within the cybersecurity landscape. Last year, about 21 thousand people attended; which is pretty decent since we were all just emerging from COVID lockdown. Before Covid, the conference averaged about 50 thousand attendees, and I expect that will be about the size this year.
A description of what the RSA security conference is.
Since it’s held in San Francisco, near Silicon Valley, practically every security vendor on the planet mans a booth in the expo. I worked for one of those vendors in my last job, and the Chief Marketing Officer said that if the company didn’t show a presence on the vendor floor at RSA, the customer base would notice, and wonder why. They would see it as a sign that the company was failing in some way. But it’s not cheap to be on that floor. According to our own CMO at N2K, Emily Bradford, these are the current booth space prices for this year’s conference:
- 10’ x 10’ ($16,000)
- 10’ x 20’ ($32,000)
- 10’ x 30’ ($48,000)
- 20’ x 20’ ($64,000)
- 20’ x 30’ ($96,000)
- 30’ x 30’($144,000)
And that doesn't include the design and build of the booth, plus travel and shipping costs for equipment (like computers and monitors), marketing materials (Give-Aways), and booth babes. And before you write in to complain, that’s not a sexist comment. The running joke for the conference is that all people who man the booth are booth babes. Just picture me—an old and slightly overweight white guy, wearing a polo shirt with the company logo and handing out tchotchkes as a booth babe—and you will see why that’s funny. Let’s call all of that a significant investment; especially if you’re a startup with a tiny booth in the back of the expo hall.
But for the attendees, the atmosphere is electric and fueled by a sense of camaraderie and community. It's a cross between Mardi Gras and your local high school reunion; Mardi Gras with the flashy lights and loud music from the booths and a high school reunion because many of the people that you've worked with in your career usually attend. I've told this story many times before, but there’s a guy I used to work with that I run into every year, Kevin, usually on the corner of the Moscone Convention Center and the W hotel, where we pick up the conversation right where we left it from the last time we ran into each other. I love that.
At last year's Conference, I ran into another old buddy of mine, Todd Inskeep, the founder of a consulting company called Incovate Solutions. Todd and I have been friends for a long time and we got to talking about his business and the latest development in the CISO career path; something called virtual CISOs or fractional CISOs. I had him come on the show last year to talk about it. It's episode 5 from Season 11.4
The main idea behind the Fractional CISO concept is that some companies have decided that they don't need a full time CISO on their staff. What they do need though is somebody with CISO experience to come in and help them get their fledgling infosec program going
and maybe check in every once in a while. In other words, they would contract the CISO work out.
This isn’t a new business idea. It’s just new to the security community. It started with fractional CFOs (Chief Finance Officers) back in the 1980s. Fortune 500 companies began outsourcing their back-office functions to countries with lower labor costs, such as India and the Philippines. In the 1990s, the trend of outsourcing expanded to include smaller businesses that could not afford to hire a full-time CFO. Instead, they turned to an outsourced CFO who could provide strategic financial guidance and help them manage their finances on a part-time basis. Other fractional executives emerged in the wake of that success: Chief Marketing Officers (CMOs), Chief Operating Officer (COOs), Chief Information Officer (CIOs), and Chief Human Resources Officer (CHROs). The fractional CISO is just late to the game.
If you listen to the episode with Todd, you can hear that I didn't see that coming. When I started this CISO gig back in the day, I expected that the role would keep moving up the leadership chain and would eventually end up on the executive staff as a matter of course, and not as the exception. I always thought that CISOs would eventually become a peer to the CFO, the CTO, and the Chief Legal Officer. Today, except for a few minor examples in big companies, mostly in the financial vertical, that hasn’t happened. What has happened is that some senior organizational leaders have decided that a part time CISO is good enough. Consequently, some veteran CISOs, CISOs who have been in the saddle in one or more organizations, have moved in to fill the need. They formed their own companies and started offering fractional CISO services. A famous example is the Krebs / Stamos Group (KSG).5 Brian Krebs is the former director of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Alex Stamos was the former Facebook Chief Security Officer (CSO) and the Yahoo Chief Information Security Officer (CISO). And, that's what Todd's company does.
“The emperor has no clothes” - why the title?
After he and I did the interview last year, we got to talking about the current state of the CISO position. It was a fantastic conversation. At the end, we said, hey, this would make a decent RSA talk. So, we submitted a proposal to the conference selection committee, and, much to my surprise, we got accepted.
It’s called, The Emperor Has No Clothes: the Current State of the CISO, and is
scheduled for Wednesday afternoon, 26 April, from 2:25 to 3:25 PST. If you’re in town, please join us. For those that are not making the journey, I thought I’d give you a preview of what the session is going to be about and how we put it together.
It’s called The Emperor Has No Clothes because the role of the CISO is really not the chief of anything. CISOs have the title and nothing else. When you hear other titles like CEO, CMO, and CTO, you know that the people who hold those titles are on the senior executive team. When you hear CISO or CSO though, you might assume those people are part of the executive staff but that isn’t the case at all. There are exceptions, but in the best circumstances, those people are senior vice presidents in charge of cybersecurity, usually buried in the leadership bureaucracy one or more levels down. In other less than ideal circumstances, they don’t even have the CISO title and are managers or directors of security, but when they announce themselves at parties, they say something along the lines of like, “I don’t have the title but I’m essentially the CISO.”
To prove my point, one metric to look at is the number of CISOs or CSOs listed on corporate leadership team web pages for the most successful businesses. Let’s pick three categories of business: Fortune 500 companies, Fortune 500 financial companies, and the top security vendor companies.
Top 5 Fortune 500 Company Leadership Teams6
- 1: Walmart: CEO, Legal, CTO, CFO, HR (No CISO)7
- 2: Amazon: CEO, CFO. (No CISO)8
- 3: Apple: CEO, Legal, CFO, COO, Software Engineering, AI, (No CISO)9
- 4: CVS Health: CEO, CFO, HR, CTO, (No CISO)10
- 5: United Healthgroup: CEO, COO, CFO, Legal, HR, CMO, CTO, (No CISO)11
Top 5 Financial Fortune 500 Company Leadership Teams12
- 1: JP Morgan Chase: CEO, CRO, CFO, CIO (No CISO)13
- 2: Fannie Mae: CEO, CFO, CMO, CRO, CIO, HR, Audit, Legal, (No CISO)14
- 3: Bank of America: CEO, CTO/CIO, HR, CFO, CRO, Legal, COO, (No CISO)15
- 4: Wells Fargo: CEO, CRO, COO, CFO, Legal, HR, Public Affairs, (No CISO)16
- 5: Citi: CEO, CFO, Legal, Chief of Staff, CRO, HR, CIO (No CISO)17
Top 5 Security Vendors by Revenue Leadership Teams18
- 1: Palo Alto Networks: CEO, CTO, Product, CFO, HR, CMO, CIO, CFO, (No CISO)19
- 2: Fortinet: CEO, CTO, CFO, Legal, CMO, (No CISO)20
- 3: Cisco: CEO, CFO, Legal, HR, COO, Chief of Staff, (CSO: Brad Arkin)21
- 4: Crowdstrike: CEO, CFO, CMO, Product (CSO: Shawn Henry)22
- 5: ZScaler: CEO, COO, CFO, Legal, CMO, HR, CIO, Product (No CISO)23
Out of 15 companies, only two have a CISO listed and they are both security vendors. That’s roughly 13%. Using leadership team web pages is not a perfect metric. I mean it doesn’t prove a trend or anything. But it’s one data point that supports the theory that CISOs are mostly CISOs in title only. They really aren’t wearing any “Chief” clothes at all.
You might ask that if CISOs sit on corporate boards, would that mean they have reached the right level? According to Claudia Glover at the Tech Monitor website, out of 321 CISOs surveyed in 2021, only 12 of them actually have sat in those seats, about 4%.24 Those would be the exceptions. But, she also says that Gartner predicts by 2025, 40% of companies will have a board member sitting on a subcommittee dedicated to overseeing cybersecurity risk. That would be the good news. That said, I advise approaching that stat with some caution. Even if those positions do emerge in the next couple of years, it doesn’t necessarily mean that a CISO or former CISO would fill it. Most of us have no idea how to calculate cyber risk. In fact, I’ve written multiple essays over the last few years on the topic showing how to do it.25 26 27 28 And I’ve even written a book with a chapter dedicated to the process (You can pre-order it now on Amazon).29 The point is that a board committee position that oversees cyber risk will likely look for business risk experience, not CISO experience. I’m just saying.
The role of the CISO started off well. Citibank hired Steve Katz to be the first ever Chief Information Security Officer in 1995 in response to one of the first ever cyber attacks against the financial sector.30 31 Interestingly enough, Katz was not part of the Citibank leadership team when he took the position. But he was board approved and had their attention because of the breach. Back then, my peers in the industry, who weren't CISOs yet (because there weren't any - I didn’t get my first corporate CISO gig until 2012, over a decade later) thought it was just a matter of time until CEOs elevated the CISO position to the leadership team. But that’s not what happened.
When CEOs started hiring CISOs, they logically thought that they needed a leader who understood the tech. So, they pulled from the technical teams to find those people. What happened immediately was that the technicians who managed networks, endpoints, and help desk teams found themselves in charge of security with the lofty title of CISO. That was fine for a time, but it shortly became clear to leadership that most of those people didn’t speak business.
They spoke in terms of ones and zeros, firewalls, and defense-in-depth, not quarterly analyst reports, GAAP and non-GAAP financial measures, and EBITA. These new CISOs came into leadership and board meetings spouting stats on unpatched vulnerabilities, malicious code, and zero day exploits and the leadership team looked at them like the famous RCA dog, Chipper, looking confusedly at the sound coming out of the phonograph speaker.32 Like Chipper, they had no idea what the CISO was talking about and CISOs didn’t know what to say to make them understand the risk to the business. We didn’t have the words for it. Most of us still don’t.
After a few years of this, CEOs started pushing CISOs further down the bureaucracy usually to work for the CIO. Senior leadership knew that they needed somebody watching cybersecurity for them, but they needed a nerd buffer between them; someone who could translate the bits and bytes into business terms that they could understand.
Compliance as a CISO skillset.
The first ever cybersecurity compliance law enacted anywhere was the United States “Computer Fraud and Abuse Act (CFAA)” in 1986. But it was designed to give law enforcement a way to arrest cyber criminals. In the late 1990s and early 2000s though, we started seeing the first compliance laws passed designed to impact corporate environments:
- 1996: US Health Insurance Portability and Accountability Act (HIPAA): Requires healthcare providers to protect the privacy and security of patients' health information.
- 1999: US Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to protect the confidentiality and security of customers' personal information.
- 2002: US Sarbanes-Oxley Act (SOX): Requires publicly traded companies to maintain accurate financial records and establish internal controls to prevent fraud.
- 2002: US Federal Information Security Management Act (FISMA): Requires federal agencies to develop and implement information security programs to protect government information and systems.
- 2004: Global Payment Card Industry Data Security Standard (PCI DSS): Requires organizations that accept credit card payments to protect the security and privacy of cardholder data
The result was that if one or more of these laws impacted your organization, somebody had to manage the compliance process. In many cases, especially in the financial and medical verticals, these tasks fell to the CISO.
Compliance law and a rash of high-profile data breaches in the 2000s like
- The 2000 breach of Egghead.com33
- The 2004 breach of ChoicePoint34
- The 2005 breach of CardSystems Solutions35
- The 2007 breach of TJX Companies36
…may have also instigated the idea that instead of one CISO at the top of the organization by themselves, business leaders needed their own security officers, their own Business Information Security Officers (BISOs). For example, at Amazon lets say, the security needs for the retail website might be a lot different from the AWS product. Amazon business leaders might hire one BISO for the retail business and another one for AWS. They might report to the overall Amazon CISO to ensure that every organization in the company is following the same first principle strategies but each BISO might select different first principle tactics that will have the most impact to their organization. A BISO is typically a mid-level manager or director for a specific business unit and communicates with the CISO to ensure that the business unit's security initiatives align with the organization's overall security strategy.
The “Cambrian Explosion” of digital environments.
Amazon launched AWS in 2006.37 Other vendors like Microsoft (2008)38 and Google (2009)39 quickly followed suit. Apple released the first iPhone in 2007.40 The impact to organizations was that IT and security professionals, as well as business leaders, had to manage a Cambrian Explosion of new technical innovation and data storage locations across multiple data islands like mobile devices, cloud environments (both SaaS and IaaS/PaaS), and the still existing and locally controlled data centers and HQ locations. This was a scramble. Security practitioners went from managing one security stack within their own digital corporate landscape to multiple security stacks on each data island that they didn’t explicitly own. It’s what we call in the biz as a paradigm shift.
We thought that security was hard before. The Cambrian Explosion exponentially exploded the complexity in our security environments not to mention the complexity in our general purpose IT architectures. CISOs and BISOs were now designing and implementing security stacks in all these environments that didn’t necessarily talk to each other. The cloud and mobile devices may have made employee and customer access convenient, but combined they made it almost impossible to manage in the way we had been doing before; manual toil.
In those days, if you wanted to update a tool configuration in the security stack, somebody logged into the device and made the change. That was fine when you only had three tools in the security stack. But with the Cambrian Explosion, that number has exploded. In a survey conducted by Panaseer in 2021, out of 2100 security decision makers across multiple verticals, the average number of security tools they buy and install is about 76.41 It’s impossible to manually manage that toolset efficiently. Enter DevSecOps.
The DevSecOps CISO.
The DevOps movement really got its start in the early 2000s with Amazon and Google building infrastructure as code systems to support their growing businesses. But we didn’t give it a name until 2009 when it emerged as an industry best practice out of three converging ideas:
- A 2009 Velocity Conference talk called “10+ Deploys per Day” by John Allspaw and Paul Hammond.42
- The Agile development method from the early 2000s.43
- The Eric Ries’ book, “Lean Startup” in 2011. 44
But the infosec community has been slow to adopt the methodology to manage the security infrastructure. Instead, we adopted helper tools like SIEMs (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response). We pursued security orchestration platforms from the big firewall companies that gave us one interface to manage all of the tools in the stack from a single vendor. But we didn’t embrace the idea of infrastructure as code like our IT peers did. And the DevOps community completely forgot about us until the mid 2010s.
John Willis, one of the authors of “The DevOps Handbook,” said in an interview in March 2021, that everybody involved in the DevOps movement was patting themselves on the back for creating this great thing, but we almost completely forgot about security for eight years or so.45 People were talking about DevOps and security but not with any detail. And then around 2017, Shannon Lietz, then working for Intuit, staked a claim for the DevSecOps phrase. She created a foundation and website dedicated to the purpose of putting security into DevOps. There was some controversy there because many in the movement thought that they had invented the idea, but according to Willis, none of that matters. By creating the foundation, she got the idea front and center again in both the IT and security communities and DevSecOps started to gain traction. But even in 2023, DevSecOps is still almost at the starting line. In 2019, Gartner placed it as just coming out of the Trough of Disillusionment on their Hype Cycle for Application Security and gave it 5-10 years to reach the Plateau of Productivity.46 That said, DevSecOps is the answer to manage the complexity of the Cambrian Explosion. If you have the resources, automation is the strategic first principle to pursue and DevSecOps is the first principle tactic to get it done. In my first principles book, I dedicate an entire chapter to the subject and the Cyberwire has published two shows about it.47 48 49
The CISO evangelist.
On my first day as the CSO of Palo Alto Networks in 2013, I thought my work would focus solely on securing the Palo Alto Networks’ internal infrastructure. What happened immediately though was that the CEO started sending me out to customer meetings and speaking opportunities that he either didn’t want to do or was too busy to do because, you know, he was the CEO. It turns out that from the sales side and marketing side, there was, and is, an inexhaustible need to have company executives go out in the field and explain what the company was doing and how the product set might help potential customer executives. Fast forward to the end of my tenure, six years later, I had 15 former CISOs around the world doing that kind of work. Back then, there were a handful of security vendors hiring people for that role. Today though, it’s almost common practice for security vendors. The most famous example is probably Wendy Nather. She is currently the Head of Advisory CISOs at Cisco. And, another frequent guest to the Cyberwire Hash Table is Bob Turner, former CISO for the University of Wisconsin at Madison, but now is the Field CISO for Education at Fortinet.
The risk CISO.
In 2014, Jack Freund and Jack Jones published their book, Measuring and Managing Information Risk: A FAIR Approach50 and basically said that we were all doing it wrong. Instead of focusing on patching, compliance, and the Cambrian Explosion, we should instead be thinking about risk to the business. Soon after, 2016, Doug Hubbard and Richard Seiersen published their book, How to Measure Anything in Cybersecurity Risk and the die was cast.51 CISOs started to rethink their approach to measuring the effectiveness of their infosec programs. Instead of presenting to the board the number of unpatched vulnerabilities, we began learning how to calculate the probability of material impact to the business due to a cyber event as a first principle strategy and deciding which first principle tactics will have the greatest impact in reducing that probability. In fact, I’ve done four podcasts episodes on the topic:
- Metrics and risk: All models are wrong, some are useful.52
- Infosec teams risk assessment.53
- Risk Forecasting with Bayes Rule: A practical example.54
- Two risk forecasting data scientists, and Rick, walk into a bar. 55
I'm particularly fond of the Infosec teams risk assessment and Risk forecasting with Bayes Rule episodes. They tell you exactly how to forecast the probability of material impact to your organization due to cyber events. And of course, I dedicate a chapter in my first principles book to the subject.56
The product CISO - The Chief Security Product Officer (CSPO).
In recent years, the infosec community has seen a raft of high profile supply chain attacks from common software applications like SolarWinds, Okta and GitHub just to name three.57 We have learned that cyber criminals, spies, and hacktivists might have an easier time coming through a “back door” provided by a trusted software provider than they would coming directly at us. Instead of the attack sequence including a phishing attack targeting the victim’s employee base, the hackers compromise a service like Okta and ride through the victim’s cyber defenses camouflaged as product update deliveries. This has the added benefit that the hackers now have access to many victims, not just the one. Software vendors have realized this too and in order to shore up trust with their customers, some have started to roll out the position of the Chief Security Product Officer (CSPO). These positions require expertise in
- software development life cycle
- secure coding principles
- threat modeling
- risk management
- research and development
According to Vince Arneja, a member of the Forbes Technology Council, the CISO and CSPO have similar skill sets but vastly different responsibilities.58 While the CISO’s knowledge domain is wide (the entire enterprise), the CSPO’s is narrow (one or more products). Think of the CSPO as the security adviser to the Chief Product Officer. Besides the traditional CISO expertise, the CSPO must oversee the security design decisions across the product lifecycle.
This is a relatively new position but a new way station on the cybersecurity career path. In fact, one of our regular visitors to the Cyberwire Hash Table, Helen Patton, just recently took a CSPO position. She is the CISO for the Cisco Security Business Group.
The emperor has no clothes revisited.
I’ve been doing cybersecurity now for 30 years. When Steve Katz took the first CISO position back in the 1990s and the corporate world started to follow suit thereafter, I knew that was the job for me. I always thought it was the pinnacle of being an infosec professional. You learn the ropes by working the jobs in the various alleyways of the infosec community and by the time you take the CISO gig, you’re leading the people-process-technology triad of an entire organization. I knew that this kind of work was important and just assumed that corporate leaders would eventually come around to it too.
I assumed that at some point, as a matter of course, that the CISO position would be part of the executive leadership team. For the most part, that’s not the norm today for the majority of organizations around the world. As I said, there are exceptions. For example, I'm on the executive leadership team at N2K. But for the bulk of us, CISOs have not risen to that level of our organizations.
That’s why this RSA presentation coming up in April is called “The emperor has no clothes.” The CISO is not the “Chief” of anything in the same way that the CEO, the CFO, and the CMO is. But, I'm not sure that it matters. I’ve loved cybersecurity since the late 1980s. The journey to get the experience necessary for a CISO job and the actual CISO job is a fantastic career path. I will tell you this. It’s never boring.
The RSA conference.
This is the last essay from me before the RSA Conference in April. It’s the end of Season 12 of the CSO Perspectives podcast. Session 13 starts in May.
If you’re attending the RSA Conference, please come see me. Todd Inskeep and I are giving the “Emperor has no clothes” presentation on 26 April 26 at 02:25 PM PDT. And I'm signing copies of my book immediately after at the conference bookstore. I would love to see you there.
1 Staff, 2023a. Def Con Hacking Conference [Website]. DEF CON. URL defcon.org/.
2 Staff, 2023b. Black Hat Security Conferences [Website]. blackhat. URL www.blackhat.com/.
3 Staff, 2023c. FrontPage [Website]. Security BSides . URL www.securitybsides.com/w/page/12194156/FrontPage.
4 Howard, R., 2022. Virtual/Fractional CISOs [Website]. The CyberWire. URL thecyberwire.com/podcasts/cso-perspectives/94/notes.
5 Staff, 2022. Team [Website]. Krebs Stamos Group. URL www.ks.group/team.
6 Staff, 2022. List of Fortune 500 companies and their websites [Website]. Zyxware Technologies. URL www.zyxware.com/articles/4344/list-of-fortune-500-companies-and-their-websites.
7 Staff, 2023. Leadership [Website]. Walmart. URL corporate.walmart.com/about/leadership.
8 Staff, 2023. Officers and Directors [Website]. Amazon. URL ir.aboutamazon.com/officers-and-directors/default.aspx.
9 Staff, 2023. Leadership [Website]. Apple. URL www.apple.com/leadership.
10 Staff, 2023. Our Leadership & Executive Team [Website]. CVS Health. URL www.cvshealth.com/about/leadership.html.
11 Staff, 2023. Our Leaders [Website]. UnitedHealth Group. URL www.unitedhealthgroup.com/people-and-businesses/our-leaders.html.
12 Staff, 2022. List of Fortune 500 companies and their websites [Website]. Zyxware Technologies. URL www.zyxware.com/articles/4344/list-of-fortune-500-companies-and-their-websites.
13 Staff, 2023. Our Leadership [Website]. JP Morgan Chase. URL www.jpmorganchase.com/about/our-leadership.
14 Staff, 2023. Leadership Team [Website]. Fannie Mae. URL www.fanniemae.com/about-us/fannie-mae-leadership-team.
15 Staff, 2023. Executive Biographies [Website]. Bank of America. URL newsroom.bankofamerica.com/biographies.
16 Staff, 2023. Leadership and Governance [Website]. Wells Fargo. URL www.wellsfargo.com/about/corporate/governance/.
17 Staff, 2023. Executive Management Team and Leadership Team [Website]. Citi. URL www.citigroup.com/global/about-us/leadership.
18 Shread, P., 2023. 20 Top Cybersecurity Companies for 2023 [Website]. eSecurityPlanet. URL www.esecurityplanet.com/products/top-cybersecurity-companies.
19 Staff, 2023. Our Leadership [Website]. JP Morgan Chase. URL www.jpmorganchase.com/about/our-leadership.
20 Staff, 2021. Who Is the CEO Of Fortinet? [Website]. Zippia. URL www.zippia.com/fortinet-careers-4655/executives.
21 Staff, 2023. Executive Bios [Website]. Cisco. URL newsroom.cisco.com/c/r/newsroom/en/us/executives.html.
22 Staff, 2018. Our Leadership Team & Board of Directors [Website]. CrowdStrike. URL www.crowdstrike.com/about-us/executive-team.
23 Staff, 2023. Leadership Team [Website]. Zscaler. URL www.zscaler.com/company/leadership.
24 Glover, C., 2022. CISO on the board: How the role is evolving for a new era [Website]. Tech Monitor. URL techmonitor.ai/technology/cybersecurity/ciso-on-the-board.
25 Howard, R., 2020. Metrics and risk: All models are wrong, some are useful. [Website]. The CyberWire. URL thecyberwire.com/stories/74747921ff1a4ee68706594ed2005c74/metrics-and-risk-all-models-are-wrong-some-are-useful.
26 Howard, R., 2022. Infosec teams risk assessment. [Website]. The CyberWire. URL thecyberwire.com/stories/e9830596ceec4f769a2fb4a52a149bd2/infosec-teams-risk-assessment.
27 Howard, R., 2022e. Bayes Rule: A different way to think about cybersecurity risk. [Website]. The CyberWire. URL thecyberwire.com/stories/e2f21a64266a4103a4b666590b59bd54/bayes-rule-a-different-way-to-think-about-cybersecurity-risk.
28 Howard, R., 2020. Cybersecurity first principles: risk assessment. [Website]. The CyberWire. URL thecyberwire.com/stories/4dbb956a9d4846c0bc420c939bfd273c/cybersecurity-first-principles-risk-assessment.
29 Howard, R., 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Wiley.
30 Morgan, S., 2020. Backstory Of The World’s First Chief Information Security Officer [Website]. Cybercrime Magazine. URL cybersecurityventures.com/backstory-of-the-worlds-first-chief-information-security-officer/.
31 Katz, S., 2020. The World’s First CISO [Video]. YouTube. URL https://www.youtube.com/watch?v=xVGQdR09hPE.
32 Staff, 2023. Our famous Nipper & Chipper [Website]. RCA. URL www.rca.com/us_en/nipper-chipper-1720-us-en.
33 Richardson, T., 2000. Egghead.com hacked [Website]. The Register. URL www.theregister.com/2000/12/26/egghead_com_hacked.
34 Scalet, S.D., 2005. The Five Most Shocking Things About the ChoicePoint Data Security Breach [Website]. CSO Online. URL www.csoonline.com/article/2118134/the-five-most--shocking-things-about-the-choicepoint-data-security-breach.html.
35 Vijayan, J., Weiss, T., 2005. CardSystems breach renews focus on data security [Website]. Computerworld. URL www.computerworld.com/article/2557971/cardsystems-breach-renews-focus-on-data-security.html.
36 Vijayan, J., 2007. TJX data breach: At 45.6M card numbers, it’s the biggest ever [Website]. Computerworld. URL www.computerworld.com/article/2544306/tjx-data-breach--at-45-6m-card-numbers--it-s-the-biggest-ever.html.
37 Miller, R., 2016. How AWS came to be [Website]. TechCrunch. URL techcrunch.com/2016/07/02/andy-jassys-brief-history-of-the-genesis-of-aws/.
38 Foley, M.J., 2018. Microsoft launched Azure 10 years ago and lots (but not everything) has changed [Website]. ZDNET. URL www.zdnet.com/article/microsoft-launched-azure-10-years-ago-and-lots-but-not-everything-has-changed.
39 Harvey, C., 2017. Google Cloud Platform: History Features & Pricing [Website]. Datamation. URL www.datamation.com/cloud/google-cloud-platform/.
40 Gilbert, B., Jackson, S., 2023. Steve Jobs unveiled the first iPhone 16 years ago — look how primitive it seems today [Website]. Insider. URL www.businessinsider.com/first-phone-anniversary-2016-12.
41 Muncaster, P., 2021. Organizations Now Have an Average 76 Security Tools to Manage [Website]. Infosecurity Magazine. URL www.infosecurity-magazine.com/news/organizations-76-security-tools/.
42 Allspaw, J., Hammond, P., 2009. 10+ Deploys Per Day [Video]. Velocity 09. URL https://www.youtube.com/watch?v=LdOe18KhtT4.
43 Lynn, R., 2018. The History of Agile [Website]. Planview. URL https://www.planview.com/resources/guide/agile-methodologies-a-beginners-guide/history-of-agile/.
44 Ries, E., 2011. The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses [Book]. Goodreads. URL https://www.goodreads.com/book/show/10127019-the-lean-startup.
45 Willis, J., 2021. Diving Into DevSecOps - Part 1 [Website]. Dev Interrupted. URL devinterrupted.com/podcast/diving-into-devsecops-part-1/
46 Sotnikov, D., 2020. API Security Weekly: Issue #68 [Website]. DZone. URL https://dzone.com/articles/api-security-weekly-issue-68.
47 Howard, R., 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Wiley.
48 Howard, R., 2020. Cybersecurity first principles: DevSecOps. [Podcast]. CSO Perspectives. The CyberWire. URL thecyberwire.com/stories/2ea225e4d7af4cbe9aff1e96cf2f3a95/cybersecurity-first-principles-devsecops.
49 The CyberWire Staff, 2022. DevSecOps and securing the container. [Podcast]. CyberWire-X. The CyberWire. URL thecyberwire.com/podcasts/cyberwire-x/29/notes.
50 Freund, J., Jones, J., 2014. Measuring and Managing Information Risk: A FAIR Approach [Book]. Goodreads. URL https://www.goodreads.com/book/show/22637927-measuring-and-managing-information-risk.
51 Hubbard, D.W., Seiersen, R., 2016. How to Measure Anything in Cybersecurity Risk [Book]. Goodreads. URL https://www.goodreads.com/book/show/26518108-how-to-measure-anything-in-cybersecurity-risk.
52 Howard, R., 2020. Metrics and risk: All models are wrong, some are useful. [Podcast]. The CyberWire. CSO Perspectives Podcast. URL thecyberwire.com/stories/74747921ff1a4ee68706594ed2005c74/metrics-and-risk-all-models-are-wrong-some-are-useful.
53 Howard, R., 2022. Infosec teams risk assessment. [Podcast]. The CyberWire. CSO Perspectives Podcast. URL thecyberwire.com/stories/e9830596ceec4f769a2fb4a52a149bd2/infosec-teams-risk-assessment.
54 Howard, R., 2022. Risk Forecasting with Bayes Rule: A practical example. [Podcast]. The CyberWire. CSO Perspectives Podcast. URL thecyberwire.com/stories/3cf992726ebd489db4a45529f0ba1bc5/risk-forecasting-with-bayes-rule-a-practical-example.
55 Howard, R., 2022. Two risk forecasting data scientists, and Rick, walk into a bar. [Podcast]. The CyberWire. CSO Perspectives Podcast. URL thecyberwire.com/podcasts/cso-perspectives/89/notes.
56 Howard, R., 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Wiley.
57 Staff, n.d. 5 Biggest Supply Chain Attacks in 2022 (So Far) [Website]. ImmuniWeb Security Blog. URL www.immuniweb.com/blog/5-biggest-supply-chain-attacks-in-2022-so-far.html.
58 Arneja, V., 2021. The Rise Of The CPSO: Chief Product Security Officer [Website]. Forbes. URL www.forbes.com/sites/forbestechcouncil/2021/02/05/the-rise-of-the-cpso-chief-product-security-officer.