4.19.23 > Tony Sager

I just checked – my first connection to the Minnesota Cyber Summit was in 2016 as a speaker.   In fact, I think it was the first time I had ever set foot in the State of Minnesota. How the cyber-time flies (even if progress feels glacial!)   I forget the details, but the connection between the non-profit Center for Internet Security and the Minnesota cyber community was triggered by Colonel Stefanie Horvath (now BGEN) of the MN National Guard. One thing led to another, and I was invited to give a talk at the event. (Making Best Practice Common Practice:  the CIS Controls).

I’ve been in the business for a long time, spoken at hundreds of events, seen great ideas come and go, and participated in many lofty studies and paper-writing exercises. And I’ve watched our collective incremental improvement against a problem that is growing non-linearly.  So even though I am a hopeless optimist – the only way you can survive a long 45-year career in cyber defense – please allow me to have the occasional cynical or discouraging moment.

So I am never sure what I’ll find when I go to give a talk, and I was not sure what I was expecting when I came to Minnesota and the CSS. But here’s what I found.

Kindred spirits. Colleagues. New friends. Not a super-slick marketing event, but a year-round conversation that happened to include a yearly community gathering.  Not a local or state-only event, but one with broad national and international focus, appeal, and attendance. An incredibly diverse and nationally vital business community, participation from every level of government, pragmatic academics, and a thriving security industry.

CIS was formed in 2000 around the same ideals. In cyberspace, we all have more in common than different, so we should act like it. Bring people together on the problems we have in common, create and share the content to deal with those problems, and align the “systems” that are necessary to make the most important things to do, the things that get done.

This is not some rah-rah, Kumbaya bumper-sticker thing, but a way of life and a call to action. Trust is not designed, dictated, and handed down from some central cyber mountaintop. It’s built, grown, and made real by people who actively look for common ground, and choose to work together.

And yes, this work is hard. If it was easy, I’d have had to find productive work a few decades ago. And so, we do need to physically gather, to learn from each other, to build trust, and yes, to celebrate. The more “hi-tech” this business gets, the more we need “hi-touch” in our relationships, trust, and growth.

And so, I keep coming back.  And because this is part of my extended cyber family, I even brought my son last year, for our first ever Family Tech Talk (“Here Be Dragons…Navigating An Ocean of Security Frameworks”).

And of course, no one escapes the cyber-gravitational orbit of Eileen Manning – every community needs a catalyst!   See you in October!


Tony Sager, Senior VP & Chief Evangelist, The Center for Internet Security

Communications Security, Computer Security, Information Security, Information Assurance, Defensive Information Operations, and several more – I’m very lucky to have ridden the World-Wide Wave we now call cybersecurity. Tony also serves as the Director of the SANS Innovation Center, a subsidiary of The SANS Institute.

Tony spent 35 years in Federal Service at the National Security Agency as part of the Information Assurance mission. The common element across his career was the search for vulnerabilities in the name of defense – finding vulnerabilities, making sense of them, leading organizations to find them, and then translating that knowledge into action to prevent or manage them.

That final challenge consumed the last third of my government career. How can we translate what we learn through product testing, Red Teams, Blue Teams, systems analysis, etc. into operational guidance, best practices, requirements, training, and security improvements? How can we bridge the gap between telling people what they are doing wrong, and helping them do what’s right? This led to projects like the release of NSA Security Guides to the public, involvement in open standards for security automation and information sharing, and an activity now known as the Critical Security Controls.

You can connect with Tony here at the Cyber Security Summit Think Tank Advisor Board

And on LinkedIn at https://www.linkedin.com/in/tony-sager-56371043/