The basic technique of cybercrime statistics—measuring the incidence of a given phenomenon (DDoS, trojan, APT) as a percentage of overall population size—had entered the mainstream of cybersecurity thought only in the previous decade. Cybersecurity as a science was still in its infancy, as many of its basic principles had yet to be established.
At the same time, the scientific method rarely intersected with the development and testing of new detection & prevention regimens. When you read through that endless stream of quack cybercures published daily on the Internet and at conferences like RSA, what strikes you most is not that they are all, almost without exception, based on anecdotal or woefully inadequately small evidence. What’s striking is that they never apologize for the shortcoming. They never pause to say, “Of course, this is all based on anecdotal evidence, but hear me out.” There’s no shame in these claims, no awareness of the imperfection of the methods, precisely because it seems to eminently reasonable that the local observation of a handful of minuscule cases might serve the silver bullet for cybercrime, if you look hard enough.
But, cybercrime couldn’t be studied in isolation. It was as much a product of the internet expansion as news and social media, where it was so uselessly anatomized. To understand the beast, you needed to think on the scale of the enterprise, from the hacker’s-eye view. You needed to look at the problem from the perspective of Henry Mayhew’s balloon. And you needed a way to persuade others to join you there.
Sadly, that’s not a modern story. It’s an adapted quote from chapter 4 (pp. 97-98, paperback) of The Ghost Map, by Steven Johnson, a book on the cholera epidemic of 1854.
I won’t ruin the book nor continue my attempt at analogy any further. Suffice it to say, you should read the book—if you haven’t already—and join me in calling out for the need for the John Snow of our cyber-time to arrive.
RSAC 2025 Sets A Dangerous Precedent for Cybersecurity Leadership
(I posted this on LI, but I like to own my content, so am also posting here.)
The cybersecurity community deserves better than what we’re witnessing at RSAC 2025, today.
While Kristi Noem delivers today’s keynote, the absence of traditional cybersecurity leaders from agencies like NSA and CISA speaks volumes about shifting priorities in our field. This contrast becomes even more troubling when viewed alongside recent developments with Chris Krebs. The former CISA director — widely respected for his defense of election security — has faced unprecedented retaliation: security clearances revoked, his employer SentinelOne effectively blacklisted, and federal investigations directed into his tenure for simply upholding the integrity of our democratic systems.
Meanwhile, Secretary Noem — who has publicly committed to “reining in” CISA’s disinformation efforts and called its election integrity work “shocking” — receives our industry’s most prestigious speaking platform. Her tenure at DHS has featured more political theater than substantive cybersecurity leadership — or just leadership in general — prioritizing spectacle over the technical expertise and collaborative approach our field demands.
RSAC has always represented rigorous, forward-thinking discussion about defending critical infrastructure and fostering trust in technology. By elevating political figures who undermine the very principles our community stands for — while one of our most principled voices faces silencing — we’re accepting a dangerous new standard.
The cybersecurity field requires leaders who value expertise, accountability, and the defense of democratic norms. We must ask ourselves: what message are we sending about our professional values when we applaud those who work to dismantle the very protections we’ve built?
Every individual involved with RSAC who had a part to play in this decision should be deeply, deeply ashamed of themselves.