Keith McCammon was a technologist first and safety guru second. He has by no means acquired any formal coaching in cybersecurity; however a love of expertise and pleasure in fixing puzzles naturally led into the topic, studying on the journey.
Crimson Canary background
Kyrus Tech, now owned by Sixgen, was the supply of each Carbon Black and Crimson Canary (now a Zscaler firm).
Kyrus developed Endpoint Detection and Response (EDR) expertise, and in 2011 shaped Carbon Black as an entirely owned subsidiary – successfully a Kyrus enterprise unit – specializing in EDR. By 2013, it was clear that many EDR prospects wanted further help on dealing with the problems detected by Carbon Black.
Initially, this was dealt with in-house, however in 2014, Crimson Canary was spun out of Kyrus as an impartial firm to offer MDR on prime of Carbon Black’s EDR. The agency was based by Brian Beyer (CEO), Chris Rothe (CTO), and Keith McCammon (CSO). Kyrus contributed to Crimson Canary’s preliminary seed funding.
Keith McCammon, CSO and Co-founder at Crimson Canary.
In the identical 12 months, Bit9 acquired the EDR enterprise from Kyrus, and two years later rebranded itself as Carbon Black. This Carbon Black was acquired by VMware in 2019 (turning into VMware Carbon Black), which was then acquired by Broadcom in 2023 and built-in into the Broadcom Symantec belongings in 2024.
Crimson Canary continued as a separate firm for greater than a decade, however was acquired by Zscaler in deal that closed in August 2025.
Each ‘carbon black’ and ‘crimson canary’ are metaphors. Carbon black is a type of carbon that may be added to completely different supplies offering deep, uniform integration and elevated power. Crimson canary invokes the canaries that had been as soon as taken into coal mines to offer early warning, and provoke a requirement for evasive motion, if a risk (poisonous gases) had been current.
Keith McCammon’s profession pathAdvertisement. Scroll to proceed studying.
McCammon didn’t select a profession in cybersecurity. In his personal phrases, he simply “occurred upon it”.
Like many safety professionals, he got here throughout computer systems early in life. His father labored at Bell Labs and his brother was keenly fascinated by computer systems. However he wasn’t.
“Rising up, I solely began utilizing them considerably beneath duress.” At college, he wanted a job. He wished to be a lifeguard, or to work in a health club. “They caught me in a basement pc lab. That was my first publicity to any meaningfully sized pc with an entire bunch of customers.”
It was all new and he had neither expertise nor coaching; however he dug in and tried to be taught on the job. Two issues emerged: he realized that he preferred expertise, and he beloved fixing issues. He had been thrown in on the deep finish, however discovered he loved pc programs and networking.
After college, and with some data of networking, he began working in telecom in the course of the dot-com increase. It wasn’t cybersecurity, as a result of that hardly existed and was solely simply starting to emerge. Martin Roesch’s Snort was new, and Sourcefire hadn’t but been based – however cybersecurity threats had been more and more obvious and beginning to trigger issues.
“I saved discovering that the actually laborious and attention-grabbing issues can be despatched to another person to resolve. I wished to be that another person. I discovered the complexity, the problem and the adversarial nature of cybersecurity intriguing.” As was his wont, he taught himself and realized on the job. “That was actually my journey – from constructing networks, understanding that they had been being misused, after which making an attempt to determine how we might get our heads wrapped round that.”
However it is just the primary a part of the journey. He now understood expertise and the idea of cybersecurity, however he nonetheless had an curiosity in deep downside fixing and the adversarial facet of cybersecurity. It’s no shock that he would turn out to be fascinated by elements of nationwide safety and the issue of elite nation-state hackers. He moved on to work first at ManTech and later at Kyrus Tech.
ManTech is a US protection contractor specializing in cybersecurity and superior expertise options for presidency companies. It says of itself, “ManTech cyber consultants analysis, develop and ship modern full-spectrum cyber mission capabilities that permit our purchasers to Deny, Defend and Dominate in help of Our on-line world Superiority.” ManTech gave McCammon expertise of offensive cyber operations in addition to an understanding of how elite nation state adversaries go about their day by day job.
Kyrus Tech was considerably just like ManTech, being based by former ManTech workers. Nevertheless it was basically a software program improvement firm with a specialty in reverse engineering, knowledge science, and superior safety options – and a tradition of selling authentic pondering amongst its workers. It was this tradition that led to Carbon Black and the next Crimson Canary spin out initially designed to maximise the leverage of Carbon Black’s telemetry. Crimson Canary was based by three Kyrus workers, together with McCammon.
McCammon says he ‘occurred upon’ cybersecurity. It’s tempting to counsel he was additionally guided by the Norns into it, and onward to Crimson Canary.
On being a safety chief
McCammon has had no formal coaching in cybersecurity and has no educational {qualifications} in both computing or safety. “Not one,” he mentioned. Has it held again his profession? “I don’t assume so. Whereas I lack an educational background, I’ve encountered a collection of mentors who took the time to show me. So, it hasn’t held me again, however nor have I succeeded as a result of I’m sensible. It’s simply the mix of working with a collection of unbelievable people along with my very own willpower and obstinance. My path took me into defensive and offensive areas of nationwide safety, and I used to be uncovered – by likelihood – to an unbelievable set of parents who I’ve now labored with for the final 20 years.”
This begs a query. Since he has been each concerned in defensive and up shut with offensive safety, ought to a cybersecurity chief be a hacker at coronary heart? “There’s little or no draw back to that,” he mentioned.
He doesn’t consider himself as a hacker, however contemplating his profession and attitudes, it’s clear he has the mindset of a hacker. He definitely accepts that key traits of hackers are mission focus, inquisitiveness, and “greater than the rest, simply an unwillingness to surrender till you obtain your goal.” That sounds remarkably like Keith McCammon.
His work has included offensive cybersecurity, together with alerts intelligence whereas being grounded in a nationwide safety mission. After we do it, it’s alerts intelligence (SIGINT); after they do it, it’s cyber spying (espionage). On the similar time, his defensive coaching pitted him towards the elite hackers of nation state APTs. So, he has the benefit of realizing how hackers work, and the way they are often stopped.
“Most organizations aren’t dealing with the kind of adversary that we now have on the nationwide safety facet. Most organizations aren’t going to get up within the morning and be staring down an apex adversary from top-of-the-line groups from a nation-state. That’s not the fact of most breaches – however understanding how that occurs and the methodical nature of cybersecurity intrusions, notably by professionals who we consider as dangerous guys however they’re simply doing their job… properly, it’s been helpful to me to have that have and perspective.”
It has helped him, however he doesn’t assume it’s important and even all the time a bonus. “I feel it will be laborious to stroll right into a CISO position as a weapons blazing hacker the place all of your expertise is ripping issues aside. That’s helpful for understanding how folks break into issues, however it might miss a deep understanding of how enterprise programs are constructed and the way they convey – and all of the constraints, the human elements, the danger elements, the funds elements. There’s a variety of abilities wanted by the CISO, which is among the most vertically built-in jobs I’ve ever come throughout. You want a adequate understanding of the hacker mindset, mentality and skills; you want a adequate understanding of enterprise IT; you should be an important communicator; and have mastery of the economics of the enterprise you’re in.”
This vertical integration is a key issue within the fluidity of CISO churn. CISOs in giant organizations have a tendency to remain within the place for a few years. Not so with smaller firms, the place turnover is speedy, and tenure is brief. There are 4 major causes for this: stress and burnout; a transfer to a greater firm with extra sources, authority and remuneration; being scapegoated and sacked for a breach; and the job being eradicated via acquisition by a bigger firm that doesn’t want two CISOs.
“It’s the character of the job,” defined McCammon. “When a CISO walks into a brand new job, from his first day, she or he already is aware of that the final day could be earlier than anticipated. There’s a ton of organizational dynamics within the work, and it’s adversarial by nature.” Typically the adversary is in-house – a finance supervisor looking for to cut back or restrict the safety funds, or enterprise leaders demanding one thing that merely just isn’t and can’t be safe, or workers that won’t or can not observe safety tips. There’s an inescapable component of Janus within the CISO.
A CISO could do job of securing the enterprise whereas remaining insecure within the place. However that, mentioned McCammon, is solely the character of the job. What then, is the most effective persona or character trait that would assist a CISO navigate such a fancy, hectic, and tenuous place? McCammon provides two.
“Firstly, the power to speak,” he mentioned. It could appear unrelated to the issues of safety, however it’s straight associated to the answer of any downside. “Being thinker and communicator, and particularly, being a talented author, I feel is critically essential.”
However secondly, and much more essential, is the power to stay calm. “The only most essential high quality in a safety chief is the power to stay calm in a hectic state of affairs,” he mentioned. Kipling mentioned comparable years in the past (with my apologies to all of as we speak’s girls leaders), “If you happen to can hold your head when all about you might be shedding theirs and blaming it on you; in the event you can belief your self when all males doubt you, however make allowance for his or her doubting too… you’ll be a person, my son.” Kipling wasn’t writing about CISOs – however what he wrote is well-matched to the fashionable position.
Trade Recommendation
Recommendation acquired from mentors is a key a part of any profession improvement. For McCammon, it isn’t merely recommendation however what you be taught from expertise and the way you utilize that studying that’s essential. In impact, the recommendation was realized by commentary of his many mentors. “I used to be working within the nationwide safety area with 60 or 70 services, with workers in all of them. I had led groups earlier than, though this was the biggest, and the stakes had been very excessive.” He was dealing with an onslaught of nation state exercise and wanted additional leverage.
“I noticed that generally you might be the proverbial smartest particular person within the room, however that doesn’t show you how to resolve issues. What you actually need is the power to delegate successfully.” He had seen this in an earlier mentor. It’s not a case of telling somebody what to do however trusting that they know and can do what must be performed. The chief ought to educate ideas after which belief crew members to make their very own choices on fulfilling these ideas.
“Nobody learns by simply being advised what to do and doing it. Folks be taught by making their very own choices, making their very own errors – and that’s the place progress comes from.”
Pressed on whether or not he would provide any particular recommendation to others, he thought for some time after which mentioned, “Be optimistic. Combat the nihilistic angle round cybersecurity.” That is typified within the usually quoted, ‘it’s not if, however if you find yourself breached’. “I inform each new rent into Crimson Canary, ’The easiest way to complain is to make issues’,” quoting the legendary Grace Hopper, developer of the world’s first nascent compiler for the UNIVAC pc.
“If you happen to’re not profitable or have an issue, you might complain about not having the folks or instruments you want. Or you might take a step again, cease complaining, and make one thing to make it work. Slightly than getting dejected or upset as a result of issues like your group or cybersecurity or the world aren’t working the best way you assume they need to, go make one thing to make it work. Like construct a bit instrument or construct a program or educate folks all of the issues that you just want you had been taught.”
It’s one thing he needs he’d realized earlier in his profession. “I completely went via the troughs of a number of disillusionment… that is by no means gonna work, we’re by no means gonna win. However simply preserving your head up and remaining optimistic creates a virtuous cycle – and makes you the kind of particular person you’d like to speak to and have in your nook in a disaster.”
Maybe we should always adapt his recommendation to, “Be proactively optimistic.”
Present threats
It’s standard to think about the most important threats are the extra lively malware sorts, like ransomware, wipers, or infostealers. McCammon takes a distinct view. “Ransomware is a consequence – the conclusion of a bunch of different threats. I feel, palms down, essentially the most regarding development is how issues like ransomware occur,” he steered.
The most important risk is the flexibility and rising professionalism of the adversary. McCammon cites ClickFix for example. “As an alternative of leaping via hoops to defeat all the safety controls applied by the goal – simply to ship a phishing e mail – the adversary makes use of silent malvertising or a drive-by to engineer the person into inviting him in.”
This method is ingenious and rather more efficient than the blaring, flashing warnings that ‘malware has been detected’ and you should click on this hyperlink to do away with it. The latter makes use of the emotional set off of concern (however with out belief), whereas ClickFix makes use of belief with out concern.
This versatility in studying what works, coupled with the expansion of crime-as-a-service spreading the supply of latest methods quickly all through the legal ecosphere, is an even bigger risk than particular person malicious payloads. The payloads are the results of the true risk, the professionalization of cybercrime and the creativity of cyber criminals.
Associated: CISO Conversations: Maarten Van Horenbeeck, SVP & CSO at Adobe
Associated: CISO Conversations: Kevin Winter (Deloitte) and Richard Marcus (AuditBoard)
Associated: CISO Conversations: Julien Soriano (Field) and Chris Peake (Smartsheet)
Associated: CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From Qualys
