First Quarantine Project

During the enforced isolation and “social distancing” of March 2020, I began to post more often to sites such as Forbes.com, Peerlyst, (where I am an advisor), LinkedIn, and The Analyst Syndicate. In doing so, and with a recent mindset of recording history, thanks to the February 2020 publication of Security Yearbook 2020: A History and Directory of the IT Security Industry, it occurred to me that, taken as a whole, my writing of the past 15 years has some value as a historical record. Choosing topics to write about is invariably flavored by current events and certainly reflective of my own thinking at the time. I decided to quickly compile these essays into book form. It would be far too onerous to expect a reader who may be interested in these topics to wade through all those web pages with their constant popup ads and eye-distracting images appearing in the margins.

I hope my essays prove valuable. Some have aged well. Others have set in motion formative events in my own life. The greatest impact to my career occurred when I published a column in Network World Magazine, October 26, 2006. It was titled Wake up call: An Open Letter to Gil Shwed, CEO of Check Point Software. At the time, Check Point had lost considerable market share to Cisco and was under pressure from Wall Street to make big moves. Within hours of the piece being published I received a call from Ken Xie, founder and CEO of Fortinet. He wanted to discuss hiring me as Chief Marketing Officer. By November 2006 I had wound down IT-Harvest, my industry analyst firm, to join Fortinet. That column is not included in this collection, but will be saved for Volume 2.

I left Fortinet in 2008 and spun up IT-Harvest again. Writing and publishing is a critical part of being an independent analyst, so that was the first thing I concentrated on, first for my blog, ThreatChaos, which I had started while at Webroot, then ZDNET, where they paid a penny per page view. Finally, Andy Greenberg at Forbes reached out and asked me to become a contributor.

Look at my April 2010 criticism of the proposed Rockefeller-Snowe cybersecurity regulation. That piece earned me a call from Rockefeller’s staff. I went to DC to attempt to sway them on my position. I stand by my recommendations for federal government measures first proposed in an open letter to President Obama in 2008, which will also be included in Volume 2, but is summarized nicely in the book. My writing in 2010 focused on measures being discussed by the US government on the executive and legislative side. I guess I was on a crusade that in light of later breaches (OPM) and failings could be deemed a failure. I did not move the needle at all.

This is probably why I don’t write about government proposals very much today, unless they enact substantive measures.

My June 16, 2010, column memorialized the raging debate at the time over the use of the terms “cyberwar” and “cybersecurity.” There are still technologists that tune out if they hear “cyber” appended to anything, but I think the world has fully embraced these terms.

My first industry commentary to appear in Forbes was a call for Intel to back out of its plan to acquire McAfee. I believe history has proven me very right on this one.

I stepped in to critique William Lynn’s famous “Wake up Call” published in Foreign Affairs. Lynn’s article marks the beginning of the transformation of the NSA and the creation of US CYBERCOM.

I cover technologies often. My critique of DHS’ Einstein and IDS in 2010 is worth reflecting on. I introduce my thoughts on reputation services and beaconing detection in May 2011. I was transitioning to doing video interviews at the time so these articles were mere introductions to the videos. Because I charged the vendors a nominal fee to cover production, Forbes soon decided these violated its terms, so eventually I had to move them to IT-Harvest.com.

In May of 2011 I wrote about leaving Facebook because of its security challenges. While they fixed those issues for the most part, and I am on Facebook every day now, this article foreshadows, unwittingly on my part, the abuse of Facebook for spreading disinformation. In an upcoming column I am going to review the amazing book, Mind F*ck, by Christopher Wylie, which covers the attack on the US elections 2016.

You will find one of my common themes over the years is that network security vendors should not attempt to get into endpoint security and vice versa. I remember advising Symantec not to do that when I was at Gartner. I advise against the Sophos-Astaro merger in a May 2011 column. After a flurry of posts in 2011 inspired by interviews with industry executives, I dip back into the cyberwar debate by critiquing the Clausowitzian thinking in a paper by Thomas Rid. You can start to see the influence of my academic period as I had gone back to school to study military history.

On November 7, 2011, I took a stab at criticizing Microsoft. Much of delving into the licensing structure for Windows products came from a white paper I wrote for several anti-virus vendors that wanted someone to make the argument that Microsoft’s “free” security offerings were in fact more expensive than using an independent product.

In April of 2012 I posted a critique of Palo Alto Networks just prior to its IPO. That was my most-read column up to that time. It also caused PAN’s executives to shun me forever.

I had to report on David Sanger’s front page NYT article on Stuxnet on June 4, 2012. This first evidence that the US engaged in cyber attacks ushered in a new world of cyber conflict.

On July 25, 2012, Symantec’s board sacked Enrique Salem, arguably the last “security guy” to be CEO. It was the beginning of the Demise of Symantec, which I cover in March 2020 and is the last essay reproduced in this volume.

There is a back story to my July 30, 2012, post Let's Be Clear on Ethical Hacking. After calling out the two founders of AlienVault in this post, first Forbes banned guest blogging on its platform, and then these two engaged in some heated Tweeting. Eventually the executives at AlienVault had to step in to smooth things over.

On September 19, 2012, I wrote an open letter to Senator Rockefeller. It was in response to a letter he sent out to Fortune 500 CEOs asking them to provide a report on their cyber readiness. I hope someday to see a FOIA request that reveals what those letters said.

By February 2013 I tackled the just-announced Presidential Policy Directive 21 (PPD21). I did not like it. And then on February 19, Mandiant published its famous APT1 report, the first public report of a nation hacking that included indicators of compromise (IoCs). In several of my books I point to this report as a turning point.

Following the usual flurry of writing inspired by the interviews I conducted at RSAC 2013 we entered a new phase of the cybersecurity world, what could be called the post-Snowden era. My June 7, 2013, column on how the surveillance state will threaten the US technology industry, and the next day’s post about a Crisis of Confidence in US tech, was noticed by Tom Gjelten and led to my first NPR interview. I took a break from writing about Snowden, privacy, and the surveillance state in March 2014 to address the turmoil in Ukraine and predict various methods that Russia would use if they planned an invasion.

Then I wrote about what to do about the rush to create more university programs for cybersecurity in STEM Stinks for Cybersecurity. Then back to Symantec with some pointed advice, which they never took. In April 2014 I wrote Why Network Security Vendors Should Stay Away From Endpoint Security, and Vice-Versa, a theme I get to return to whenever a network security vendor acquirers an endpoint company. I get to write about that again; as this book goes to press, WatchGuard, a firewall vendor, announced the acquisition of Panda, an AV company in Spain.

In May of 2014 I attempted to point out that vendors of sandbox tools were violating Microsoft’s terms of use policies by shipping multiple licenses of Windows on each appliance. The industry reaction was underwhelming. Microsoft never pursued anybody and eventually adjusted its terms. 

I had gone back to school in 2011 to study War in The Modern World at King’s College, London. I hoped the understanding of post-WWII history would inform my writing. It certainly slowed down my output as I was struggling with academic research reports until I graduated in July of 2014. I repurposed my Master’s dissertation as a book, There Will Be Cyberwar. In July 2015 I wrote How PowerPoint Kicked Off A Revolution In Military Affairs. It recounts the story of how Admiral Archie Clemins introduced the concept of net-war to the US military.

I also called for Intel to spin off McAfee on July 21, 2015, something they finally did in April of 2017.

Thinking about all the things the military did wrong I pointed that out in Fixing the Pentagon. I must get around to writing Part 2 where I use my experience from the automotive industry to provide advise on how to take on large projects in a rapidly evolving environment.

By August of 2016 I was working as Chief Strategy officer of Blancco Technology Group, so my writing focused on data erasure, privacy, and of course Hillary Clinton’s emails, which were effectively overwritten.

In December 2017, just after leaving Blancco, I wrote about 5G. This was the first time I addressed the impact of 5G and my thinking informed the book Secure Cloud Transformation, which I started working on in January 2018 and published in time for the RSA Conference 2019. The effort to write Secure Cloud Transformation: The CIO’s Journey slowed down my posts dramatically. It was almost a year before I published The Three Stages of Cloud Transformation: Application, Network, Security, which reflected the theme of the book as it launched. I end this volume with The Demise of Symantec, written March 16, 2020. This column received over 85,000 views on Forbes.com, the most for any of my posts. It was derived from the history of Symantec in Security Yearbook 2020.

By mid-March 2020 the world was plunged into a global pandemic. For a writer, being required to shelter at home means it is time to get serious about writing.

Stiennon on Security: Collected Essays, Vol. 1 2010-2020 is available now. Find it on Amazon. https://www.amazon.com/Stiennon-Security-Collected-Essays-1/dp/1945254068