Skip to content ↓ | Skip to navigation ↓

The slogan for the Council on CyberSecurity comes from an anecdote I tell about my time at NSA as the Chief of the Vulnerability Analysis and Operations Group. Our work included all of the security testing for the Information Assurance Mission, covering everything from technology—algorithm, architecture and product testing—through operational testing of fielded systems (Red Teams, Blue Teams, etc.) and with customers all across the national security systems for the US Government and the Department of Defense (DOD).

Sometime in the early- to mid-2000s, I was talking to an Army general officer regarding our support for standardizing the security configurations of DOD desktops and servers (which eventually led to the Federal desktop configuration) and the release of NSA security guidance to the public (via

He listened politely, but then said something along the lines of:

“That’s all well and good, but that just sounds like commercial best practice to me…

I replied:

“Two points I’d like to make to you, sir. One: if the DOD could only reach the lofty heights of commercial best practice, we’d actually be much better off than we are today. And two: they call it “best practice” for a reasonbecause it is not very common, it stands out.”

He was operating under the assumption that since the DOD was involved in risky and dangerous work, we must be defending our systems with something much grander and more effective than mere “commercial best practice.” But of course, the work of my folks on Red and Blue Teams gave us very good insight into the true state of cyberdefenses across the DOD at that time… and it wasn’t a pretty picture.

Also, our efforts to develop security guidance showed that a few well-known and well-placed actions could cause the Bad Guys a significant amount of risk, cost and exposure. Not perfect defense, but much more effective and manageable.

I don’t think I convinced the General of anything but the anecdote stayed with me for several years until the discussions that led to the formation of the Council on CyberSecurity. As we talked about what we thought we should do, this story came to mind.

It was true then, and it is still sadly true today—the vast majority of problems that plague us are actually known problems with known solutions. That is, most security incidents could have been prevented by actions, technologies and policies that are already known or currently exist in the marketplace.

In fact, if you look far enough, you could almost certainly find someone who has found a way to defend their system against nearly any attack seen today. The problem is that you can’t find that example on your own and learn from it. Or perhaps that example is too specialized, too costly, or too inconsistent with your current policy or requirements for you to apply on your own.

This is the challenge that the Council on CyberSecurity has taken on. As a community, can we find “best practices” (things that work) and find a way to make them “common practice” (things that are known, accessible and supported)?

How can we validate that an approach or practice is in fact the best? How can we take things that appear to work in one setting and generalize, modify and support them to work in others? How can we help others rapidly learn from the best examples and get to implementation more quickly? How can we identify and remove barriers to adoption? And finally, how can we mobilize the entire ecosystem (technologists, defenders, policy-makers, auditors, solutions providers, etc.) around the same important priorities?

There’s an old saying that “practice makes perfect.” So, for cyberdefense, will “best practices” make “perfect defenses”? Of course not! However, given the state of defenses today, we can dramatically improve our individual and collective defenses through open collaboration to find things that work and make them available to all enterprises.

Just as importantly, we will also be creating the kind of visible, managed, adaptable and well-defended foundation that will enable us to deal with all manner of adversary.

So, how can the Council on CyberSecurity help you improve the state of security practice? And what problems have you solved that others could learn from?


About the Author: Tony Sager is the Chief Technologist and a founding member of the Council on CyberSecurity – an independent, international, non-profit organization whose mission is to identify, validate and sustain best practices in cybersecurity. He leads the development of the Top 20 Critical Security Controls, a worldwide volunteer project to find and support technical practices that stop the vast majority of attacks seen today.

Tony retired from the National Security Agency in June 2012 after 34 years as an Information Assurance professional: mathematical cryptographer, software vulnerability analyst and executive manager of the premier cyberdefense organizations at NSA. His journey down the road to “cyber-geekery” started on an Apple II Plus, sometime during the Bronze Age of computer security.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interested in becoming a guest author for The State of Security, contact us here.


Related Articles:


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Title image courtesy of ShutterStock