slideshow 1 slideshow 2 slideshow 3 slideshow 4 slideshow 5 slideshow 6 slideshow 7

Cyber Defense Consulting

Stiennon works with senior executives and boards to evaluate an organization's cyber preparedness. Gaps in technology, people, and process are identified and roadmaps created to enable an enterprise to counter highly targeted attacks.

Advisory Services

IT-Harvest works with Wall Street Analysts, Private Equity Firms, Vendors, and  Venture Capitalists to identify market movers, inflection points, and emerging technology vendors. Follow Richard Stiennon on Gerson Lehrman Group's expert network for commentary on publicly traded security vendors.


IT-Harvest tracks over 1,200 security vendors and publishes' white papers and industry reports on trends and disruptive changes in the market. See our Security Analysts at conferences worldwide or follow the Cyber Domain blog on

Floundering Frameworks: NIST as a Case in Point

First published in securitycurrent October 24, 2013


Thanks to a directive from President Barak Obama, NIST has released its Preliminary Cybersecurity Framework for critical infrastructure. Like most security frameworks it is fatally flawed. The framework is poisoned with Risk Management thinking, a nebulous concept borrowed from the world of finance and actuarial tables that simply does not work for cyber security.

The problem with frameworks in general is that they are so removed from actually defining what has to be done to solve a problem. The problem with critical infrastructure, which includes oil and gas pipelines, the power grid, and city utilities, is that they are poorly protected against network and computer attacks. Is publishing a turgid high-level framework going to address that problem? Will a nuclear power plant that perfectly adopts the framework be resilient to cyber attack? Are there explicit controls that can be tested to determine if the framework is in place? Sadly, no to all of the above.

Sometime in the late ‘90s, Risk Management started to infiltrate the thinking of corporate IT security functions, probably because audit departments and outside consultants such as PwC (where I worked in the past) had to convert a problem into language that CEOs and boards would understand.  And there is nothing a consultant loves more than a framework for defining its expensive engagements.

FirstNet Board Chooses Virginia for HQ, Boulder for Technical Center

First published in securitycurrent October 29, 2013


Speaking at the Michigan Cybersecurity Summit on October 25, Thomas MacLellan, Director, Homeland Security and Public Safety Division, National Governors Association (NGA) Center for Best Practices, called FirstNet  the “largest network deployment in US history.”

FirstNet was established by The Middle Class Tax Relief and Job Creation Act of 2012 as the First Responder Network Authority (FirstNet). It is an independent authority within the National Telecommunications and Information Administration (NTIA) of the US Commerce Department. It is meant to provide emergency responders with the first high-speed, nationwide network dedicated to public safety.

The scope of a new national wireless broadband network is astounding when you consider that the coverage is expected to match that of Verizon, AT&T, T-Mobile, and numerous regional cell phone networks, combined. 

At the October Board meeting of FirstNet it was determined that Northern Virginia would be selected for the location of FirstNet’s headquarters and Boulder, Colorado, would be home to the Technical, Engineering and Network Design headquarters.

Two Secure Email Systems Shut Down in the Wake of Snowden Affair Announce Formation of Dark Mail Alliance

First published in securitycurrent October 31, 2013

Two secure email services, Lavabit and Silent Circle, on Wednesday announced the formation of the Dark Mail Alliance.

The announcement at the Inbox Love email conference in Mountain View, California, follows the shuttering of the services in August.

At that time Lavabit founder Ladar Levison said he was forced to close after pressure was exerted to hand over full access to the email system which allegedly had an account used by NSA whistle blower Eric Snowden.  Silent Circle founded, by encryption pioneer Phil Zimmerman and former navy SEAL Mike Janke, immediately followed suit.

The Dark Mail Alliance said email was “fundamentally broken from a privacy perspective” and that its mission “is to open source the protocol and architecture and help others implement this new technology to address the privacy concerns over surveillance and back door threats of any kind.”

When Levison decided to suspend operations after what he said was10 years of hard work he warned on a post on the Lavabit site “against anyone trusting their private data to a company with physical ties to the United States.”

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer