Marcus J. Carey - Tribe of Hackers Security Leaders: Tribal Knowledge from the best in Cybersecurity Leadership

MARCUS J. CAREY

JENNIFER JIN

Copyright 2020 by Marcus J. Carey and Jennifer Jin

Published simultaneously in Canada

ISBN: 978-1-119-64377-7
ISBN: 978-1-119-64379-1 (ebk.)
ISBN: 978-1-119-64376-0 (ebk.)

Manufactured in the United States of America

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2020933611

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Tribe of Hackers would not exist without the awesome cybersecurity community and contributors in it. I owe them tremendously for allowing me to share their perspectives on our industry.

I'd like to give a special shout-out to my wife, Mandy, for allowing me to do whatever the heck I want as far as building a business and being crazy enough to do this stuff. To Erran, Kaley, Chris, Chaya, Justin, Annie, Davian, Kai, Theo: I love you all more than the whole world!

I also want to thank Jennifer Jin for helping build the Tribe of Hackers book series and summit. She would like to thank her parents for supporting her and the online Tribe of Hackers community for their unwavering support of our mission.

Thanks also goes to Jennifer Aldoretta for helping me build a company that is true to our values. Shout-out to every one of the people I've worked with over the past few years.

Thanks to Dan Mandel, Jim Minatel, and the Wiley team for believing in the whole vision.

Marcus J. Carey

Over the last few years, there has been a frequently repeated statistic claiming that there are more than three million cybersecurity jobs left unfilled.

I don't really believe that's trueI believe we have an even bigger problem. I'll admit that we need more people who understand and can help reduce cyber risk. That number is probably significant. But who is going to lead all the people who are coming into the field? Who is going to lead the people currently in the field?

I'm an avid reader, and I like to apply what I learn in books to my life in cybersecurity. One of my favorite books on leadership is Extreme Ownership by Jocko Willink and Leif Babin. In the book, they use the saying, There are no bad teams, just bad leaders.

I have a talent for over-generalizing things. So I thought to myself, What if the real problem is a cybersecurity leadership problem? Even if all the cybersecurity experts we needed were put into place, most cybersecurity teams would suffer from this lack of leadership.

This book is not about beating up on current security leaders. Cybersecurity leadership should start with CEOs, moving all the way down to the cybersecurity owner and their team. I use the term cybersecurity owner because titles vary in every organization. The cybersecurity owners are responsible for day-to-day cybersecurity operations and cyber-risk mitigation. This can be one person or multiple teams.

The cybersecurity owner and their team, processes, and technology make up the security model for each organization. Strong leadership makes the security model work to reduce cyber risk for the organization.

Every security model is different, so all security owners must make sure that they leverage the processes and technology they have in place to generate the best outcomes. This involves understanding the business, the most likely threats, how to mitigate those threats, and how to detect and respond to breaches. In this book, we will equip current and future cybersecurity leaders with strategies that help accomplish these enormous tasks.

This book is more about strategy than the tactics that are discussed in Tribe of Hackers, Tribe of Hackers: Red Team, and Tribe of Hackers: Blue Team. Use this book to help manage a cybersecurity program or figure out strategies that will help you improve yours. This book is for the people who have been thrown into a cybersecurity owner role and need some quick wisdom to get the job done effectively. It's also for the person who wants to eventually lead their own teams.

I hope this book gives many people the wisdom to someday be amazing leaders. It's going to be hard, because like GI Joe always ended, Knowing is half the battle.

I want to give a huge shout-out to my friend Phil Beyer, who sat down with me earlier this year for lunch. I told him about the idea of a Tribe of Hackers: Security Leaders