Permanent staff must commit to a mandatory three-year tour. Those who remain aboard for five years will be eligible for a one-time special ‘uber’ bonus, which will be paid on a sliding scale tied to aggregate semi-annual performance marks. Compensation will be pegged to roughly upper 80% range of market.
Secondment staff will serve two-year tours, with an option to extend for a third year. No more than 25 percent of secondment staff will be authorized third-year extensions in any one year. Secondment staff will be sourced from, but not limited to: DHS-NCCIC, US Cyber Command, NSA, CIA, FBI, National Cyber Forensics and Training Alliance (NCTFA); state and major metro area law enforcement organizations; overseas cyber partners and other close allies will be called on to “loan” key representatives; National Council of ISACs (NCI); Service Academies’ divisions for cybersecurity studies; major power companies and grid leaders, e.g. Duke Energy, National Grid, PG&E, Con Ed, etc.; all publicly listed cybersecurity companies, e.g. FireEye, IBM, Rapid7, SecureWorks; midcap and boutique cyber firms, drawn from Cybersecurity Ventures’ published quarterly rankings, e.g. root9B, LookingGlass, Cylance, Darktrace; cyber investment professionals from leading platforms such as A16Z, Accel, Bessemer, In-Q-Tel, Intel Capital, KPCB, NEA, Norwest, Sequoia.
NaCCCEx would also feature a Visiting Fellows Program that will tap impact-making cyber thought leaders from across the digital security landscape, including such luminaries as Keith Alexander/IronNet, Ed Amoroso/TAG-Cyber, Frank Cilluffo/George Washington University, Rick Gordon/Mach37, Michael Hayden/The Chertoff Group, Shawn Henry/Crowd Strike, David Kimmel/CyberRiskPartners, Evan Kohlmann/Flashpoint, Angie Messer/BAH, Steve Morgan/CyberSecurity Ventures, Hunter Mueller/HMG Strategy, Theresa Payton/Fortalice Solutions, Kevin Powers/Boston College, Robert Rodriguez/SINET, Phyllis Schneck/DHS, Phil Venables/Goldman Sachs, Amit Yoran/RSA.
Given its stature as a membership organization, it would derive its funding via a rolling tiered subscription model, tied to blended prior three-years profits. Membership will be highly encouraged but strictly voluntary.
It would also be granted a special wartime waiver by Congress regarding payment of federal and state corporate taxes.The proceeds for which shall be reallocated to staff annual bonus and co-investment pools.
By charter, NaCCCEx will foster and enhance early stage cyber products and services coming to market via deploying marketing/business development resources to new/emerging technologies, deemed national cyber priorities, to foster growth. An emphasis will be on aggregating and re-marketing derivative technologies from across disparate sources. Priority focus will be oriented to identifying and developing active defense and counteroffense cyber measures.
When it comes to coordination among key constituents, we must consider that we’re essentially operating in a new paradigm. The rules to date may apply to a degree; but for the most part we’re traveling down uncharted roads. Legal must of course be involved, but it cannot drive the agenda—this is critical. NaCCCEx will serve as the primary national cyber information hub; and in doing so will pave these new avenues for efficient and effective navigating.
- Public – Private . . . A lot more work to do (too much to detail here).
- Private – Private . . . Highest priority shall be given to feed new-hack events across subscribers in as near real time as possible. Secondly, NaCCCEx will elevate ‘cyber in the know’ awareness among subscribers regarding all that’s going on in the way of new-start and emerging companies, new cyber product and services offerings, derivative technologies that may be sourced from failed startups, etc. If it’s found that a subscriber member(s) is misusing this ‘enhance and protect’ information, something akin to industrial espionage, stiff long-term penalties will result.
- US – Overseas . . . Priority status will be granted to Israel and Great Britain. Israel has been operating on the cyber front lines longer than any other white hat public-private collective, and as a result their innovation and coordination methodologies are unparalleled. Britain is doing some cutting edge stuff of late, both at the national command level and commercially—for instance, see how Bletchley Park is to be transformed to a new cyber university.
Developing and deploying next generation cybersecurity leaders—be they senior corporate staff, government operators, educators—is perhaps the single greatest strategic imperative we face. The bad guys will routinely revise and adjust. To meet and overcome this seemingly never-ending challenge, we must continually develop and deploy great minds who can adapt and excel. Indeed battlefield advantage will be defined by our ability to collectively stay one (and ideally two) steps ahead of the bad guys. NaCCCEx’s training program will comprise a 20-month training cycle to develop and deliver next generation cybersecurity leaders to the market. Course curricula will center on: general business unit management essentials; leadership and mentoring skills; effective communication (verbal and written)—up, down and across the organizational structure; risk management fundamentals; c-suite and board of directors’ engagement; select corporate CISO, CSO, COO functions.
NaCCCEx’s co-investment arm (the Fund) will be chartered to incubate, accelerate and aggregate. The Fund will be raised via traditional go-to-market channels, e.g. corporate and pension funds, private placement and other private sector sources. The Fund shall feature a one-time match by the US Government. I envision budgetary allocation split across relevant Departments, including but not limited to DoD, DHS and Education. Tax dollars, stemming from net profits on subscription receipts and investment returns, shall be re-circulated to the Fund.
In closing, NaCCCEx will be the center of gravity of a new-paradigm national cybersecurity collective effort; where a culture of collaboration, excellence and measured risk taking must prevail. Given the pin-point rapidity of cyber, we cannot afford to be stifled waiting for ‘perfect’ solutions. A few ‘wrong turns’ to get from here to there is OK.
This article is published as part of the IDG Contributor Network. Want to Join?