• United States




The time for a national cyber Skunk Works is now!

Dec 13, 20169 mins
Collaboration SoftwareCSO and CISOCyberattacks

A blueprint for taking a leap forward in cybersecurity battlefield success

Dyn DNS taken down (DDoS). DNC hack (phishing). OPM breach (malware). Not to mention surreptitiously stolen healthcare records and credit card numbers seemingly every minute of every day.

The cyber imperative: While the joint US private and public digital security ecosystem gains its ‘sea legs’, the cyber bad guys will continue to have their proverbial way with us.

The two prevailing gaps . . . 

  • A deep national bench strength of existing and next generation cybersecurity leaders and operators, spanning startups to large corporations and across the public-sector space, who possess the requisite skill set to compete and consistently win on the cyber battlefields of today and tomorrow. Our current bench is woefully short.
  •  A mechanism for funneling all the disparate data points—who’s doing what, what’s working, what’s not—that are percolating across our cyber ecosystem daily. Presently it seems we’re bouncing between two extremes, information overload and ignorance.

The macro solution is: transitioning from a burgeoning industry with still “wild west” market tendencies to a dynamic force that is vastly more interconnected and accessible—dare I say institutionalized?—and yet maintains its core entrepreneurial operating spirit. This is a new kind of war we’re collectively fighting. Unlike all prior engagements, sustained battlefield success will be achieved principally with the private/commercial sector leading from the front. Government agencies will be a key player, but in a primary supporting role.

We have our first ever Federal CISO, Greg Touhill, now in place. An incoming new Administration is seemingly reorienting to a strong security posture, presumably to include digital security. And the Commission on Enhancing National Cybersecurity just released its Report on Securing and Growing the Digital Economy. The stars seemingly are aligned for us to take a generational leap forward . . . now.

Three years ago, in A Call For A National Cyber CounterInsurgency, I challenged our cyber ecosystem to look to and replicate the spirit of Skunk Works, Lockheed Martin’s research and development unit that was stood up during WWII (and is still thriving, making meaningful impact today) to fast track priority national security assets. 

Innovation, coordination, education . . . and investment. These are the key pillars that will support and sustain our relentless pursuit of a unified mission to consistently beat the bad guys. It may take a generation to get there. Doesn’t matter; eye on the ball. 

Reflecting on Skunk Works’ legendary operating model, let me propose the following blueprint . . .

  • The establishment of a National Center for Cybersecurity Coordination & Excellence (NaCCCEx) . . . nicknamed Triple-C. Structurally this would marry the commercial fundamentals of a Fannie Mae (independent, for profit, government sponsored entity (GSE)) with the interoperability of a Joint Terrorism Task Force (JTTF) with the cyber information sharing best practices of a Security Innovation Network (SINET). (Editorial note: For purposes here, let’s set aside what occurred at Fannie 2006-09 range—when politics and bad policy mucked up what had been a clear and soundly functioning mandate for 70 years. And while Fannie Mae is a publicly listed company, I’d advocate for remaining private over the long haul.) 
  • NaCCCEx will function as a dynamic commercial cyber engine of growth; one that is closely linked with traditional public sector entities, e.g. DHS, US Cyber Command, etc., but that is clearly separate and distinct from direct government ownership and intervention . . . and importantly is solely responsible for managing its own affairs. It is perhaps appropriate, on this 75th Anniversary of Pearl Harbor, to consider that without America’s massively powerful commercial engine steaming 24/7, militarily the Allies would have been woefully lacking in combating the Axis Powers. 
  • „NaCCCEx will serve as an institutional hub to . . . 
    • Connect the reams of data points emanating from disparate sources and bridge private sector companies with public sector entities. A pure-play private sector model, with no linkage to the public sector (as is virtually the case today), is not sufficiently effective on a going forward basis.
    • Develop and deliver to the market the most capable cybersecurity leaders for future years. This requires a mechanism to attract the best minds in cyber today to educate and train future cyberists. The majority of quality cyber folks are simply not going to work for the government, for a whole host of reasons; pay being a big one, but also a generally deep disinclination by many to work for “big brother”. 

Main features

First and foremost, NaCCCEx is a commercial entity. A vibrant cybersecurity national effort must at its core maintain its commercial spirit. Private and for-profit is the best means to optimize and fast-track cutting edge capabilities. Organizationally it will embody a co-president leadership structure, comprised of a recently retired Technology CEO—less than four years out of a mid-cap or larger organization—and an active duty 3-star General/Flag Officer—uniform of the day is business attire—who will serve two-year tours, alternating off years. For initial launch, the civilian co-president will remain aboard for a third year.

It will also be staffed by permanent employees and those on secondment from a multitude of organizations emanating from our cyber ecosystem. 

Permanent staff must commit to a mandatory three-year tour. Those who remain aboard for five years will be eligible for a one-time special ‘uber’ bonus, which will be paid on a sliding scale tied to aggregate semi-annual performance marks. Compensation will be pegged to roughly upper 80% range of market.

Secondment staff will serve two-year tours, with an option to extend for a third year. No more than 25 percent of secondment staff will be authorized third-year extensions in any one year. Secondment staff will be sourced from, but not limited to: DHS-NCCIC, US Cyber Command, NSA, CIA, FBI, National Cyber Forensics and Training Alliance (NCTFA); state and major metro area law enforcement organizations; overseas cyber partners and other close allies will be called on to “loan” key representatives; National Council of ISACs (NCI); Service Academies’ divisions for cybersecurity studies; major power companies and grid leaders, e.g. Duke Energy, National Grid, PG&E, Con Ed, etc.; all publicly listed cybersecurity companies, e.g. FireEye, IBM, Rapid7, SecureWorks; midcap and boutique cyber firms, drawn from Cybersecurity Ventures’ published quarterly rankings, e.g. root9B, LookingGlass, Cylance, Darktrace; cyber investment professionals from leading platforms such as A16Z, Accel, Bessemer, In-Q-Tel, Intel Capital, KPCB, NEA, Norwest, Sequoia.

NaCCCEx would also feature a Visiting Fellows Program that will tap impact-making cyber thought leaders from across the digital security landscape, including such luminaries as Keith Alexander/IronNet, Ed Amoroso/TAG-Cyber, Frank Cilluffo/George Washington University, Rick Gordon/Mach37, Michael Hayden/The Chertoff Group, Shawn Henry/Crowd Strike, David Kimmel/CyberRiskPartners, Evan Kohlmann/Flashpoint, Angie Messer/BAH, Steve Morgan/CyberSecurity Ventures, Hunter Mueller/HMG Strategy, Theresa Payton/Fortalice Solutions, Kevin Powers/Boston College, Robert Rodriguez/SINET, Phyllis Schneck/DHS, Phil Venables/Goldman Sachs, Amit Yoran/RSA.

Given its stature as a membership organization, it would derive its funding via a rolling tiered subscription model, tied to blended prior three-years profits. Membership will be highly encouraged but strictly voluntary.

It would also be granted a special wartime waiver by Congress regarding payment of federal and state corporate taxes.The proceeds for which shall be reallocated to staff annual bonus and co-investment pools.


By charter, NaCCCEx will foster and enhance early stage cyber products and services coming to market via deploying marketing/business development resources to new/emerging technologies, deemed national cyber priorities, to foster growth. An emphasis will be on aggregating and re-marketing derivative technologies from across disparate sources. Priority focus will be oriented to identifying and developing active defense and counteroffense cyber measures.


When it comes to coordination among key constituents, we must consider that we’re essentially operating in a new paradigm. The rules to date may apply to a degree; but for the most part we’re traveling down uncharted roads. Legal must of course be involved, but it cannot drive the agenda—this is critical. NaCCCEx will serve as the primary national cyber information hub; and in doing so will pave these new avenues for efficient and effective navigating.

  • Public – Private . . . A lot more work to do (too much to detail here).
  • Private – Private . . . Highest priority shall be given to feed new-hack events across subscribers in as near real time as possible. Secondly, NaCCCEx will elevate cyber in the know’ awareness among subscribers regarding all that’s going on in the way of new-start and emerging companies, new cyber product and services offerings, derivative technologies that may be sourced from failed startups, etc. If it’s found that a subscriber member(s) is misusing this ‘enhance and protect’ information, something akin to industrial espionage, stiff long-term penalties will result.
  • US – Overseas . . . Priority status will be granted to Israel and Great Britain. Israel has been operating on the cyber front lines longer than any other white hat public-private collective, and as a result their innovation and coordination methodologies are unparalleled. Britain is doing some cutting edge stuff of late, both at the national command level and commercially—for instance, see how Bletchley Park is to be transformed to a new cyber university.


Developing and deploying next generation cybersecurity leaders—be they senior corporate staff, government operators, educators—is perhaps the single greatest strategic imperative we face. The bad guys will routinely revise and adjust. To meet and overcome this seemingly never-ending challenge, we must continually develop and deploy great minds who can adapt and excel. Indeed battlefield advantage will be defined by our ability to collectively stay one (and ideally two) steps ahead of the bad guys. NaCCCEx’s training program will comprise a 20-month training cycle to develop and deliver next generation cybersecurity leaders to the market. Course curricula will center on:  general business unit management essentials; leadership and mentoring skills; effective communication (verbal and written)—up, down and across the organizational structure; risk management fundamentals; c-suite and board of directors’ engagement; select corporate CISO, CSO, COO functions.


NaCCCEx’s co-investment arm (the Fund) will be chartered to incubate, accelerate and aggregate. The Fund will be raised via traditional go-to-market channels, e.g. corporate and pension funds, private placement and other private sector sources. The Fund shall feature a one-time match by the US Government. I envision budgetary allocation split across relevant Departments, including but not limited to DoD, DHS and Education. Tax dollars, stemming from net profits on subscription receipts and investment returns, shall be re-circulated to the Fund.

In closing, NaCCCEx will be the center of gravity of a new-paradigm national cybersecurity collective effort; where a culture of collaboration, excellence and measured risk taking must prevail. Given the pin-point rapidity of cyber, we cannot afford to be stifled waiting for ‘perfect’ solutions. A few ‘wrong turns’ to get from here to there is OK.


Stephen Spagnuolo leads the digital security and risk and retained search practices for Quantum Search Partners, an Arlington, VA-based recruiting firm. Stephen has earned a recognized track record of delivering leadership talent and corporate development solutions across cybersecurity, financial services and other industry sectors, ranging from early-stage/startup to emerging growth to mid and large global corporates, banks and consultancies. In so doing, he leverages his deep and extensive network, particularly across the U.S. National Security and Wall Street communities.

Prior to Quantum, Stephen was managing director/cybersecurity practice Leader for ZRG Partners, a global search firm. Previously, he was founder/managing principal of SASearch Advisors, a boutique executive recruiting and advisory firm. Earlier, he was cofounder/head of the Americas for Sheffield Haworth, a London-based global investment banking and financial services recruitment firm. His formative executive search years were with Russell Reynolds Associates in New York, as a member of the global banking and markets practice.

He currently serves as a cybersecurity expert and the on-call cybersecurity headhunter with RANE (Risk Assistance Network + Exchange), and is frequently engaged as guest panelist on cybersecurity recruitment for various executive leadership summits and forums, including HMG Strategy CIO & CISO Summits.

A graduate of the U.S. Naval Academy, Stephen served with distinction as a US Marine Corps infantry officer, having deployed to multiple overseas contingencies.

The opinions expressed in this blog are those of Stephen Spagnuolo and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.

More from this author