2018 TAG Cyber Security Annual - Preface to Volume 1

This 2018 TAG Cyber Security Annual – Volume 1: Outlook for Fifty Cyber Security Controls is a companion guide to the report of similar name issued last year. I will admit that it was tempting to take last year’s report and tweak a few words, add some new descriptions, and maybe draw a couple of fresh diagrams – and call the result a new report. Luckily, that lazy option passed, and instead, I spent an hour of each day for the past six months writing a new book. So, if you thought you’d get off easy, then forget it: You have some reading to do.

This new volume complements two other new volumes issued as part of the TAG Cyber Security Annual series and available to you as free PDF downloads at I suppose one could debate whether our TAG Cyber material is useful, but there is full consensus that our material is voluminous. As always, we offer our reports at a whopping price of free, but I suspect that if we ever decide to sell these massive volumes, we will set pricing based on dollars-per-pound.

The process used to create this volume had much in common with last year’s approach. The most obvious similarity is that I once again received a lot of help. Like last year, I carefully selected and reached out to a select group of cyber security technology vendors – most of them new this year – and asked that they invest the time, energy, and resources to help me learn their specialty. These wonderful Distinguished Vendors are listed on the next page – and I hope you’ll reach out and learn from them as well. Your time will be well spent.

Also, like last year, I spent hours and hours and hours (and more hours) with enterprise security professionals and Chief Information Security Officers (CISOs) from every sector in business and government. I invited them to dinners, I cajoled them into weekly discussion sessions, and I cornered them at every conference. I think some now head the other way when they see me approaching. But this is necessary, because cyber security only comes into focus with many different perspectives. Even within the same company, I often hear different answers to the same question. So, there are no shortcuts.

An awesome new input this year was the group of paying customers (yes, that’s right) for which my growing TAG Cyber team – Liam Baglivo, Matt Amoroso, and Miles McDonald – provided cyber security consulting. To respect their privacy, I won’t name the companies here, but they provided amazing insights into current views on best practices in cyber defense. These clients included two banks, a software company, a government support team, a tech company, a non-profit, and a medical device company. Assisting on their projects was enormously helpful in the creation of this volume.

My annual caveat on bias must start with AT&T, where I served for thirty-one incredible years. I continue to believe that the expert team there is doing groundbreaking work in software defined networking under John Donovan, and it is ridiculous for me to try to appear unbiased. My comments on managed security services offer a glowing vision of self-provisioned, virtualized security via cloud and SDN, and if that appears to align with AT&T’s approach – well, then I admit the alignment. I spent years helping to design that work, so I cannot untangle myself.

I have, however, carefully removed myself this year from all major boards. I loved my year with M&T Bank as an Independent Director on their Corporate Board, but the relationship has been redesigned as senior consultative. That is one fine group of people up in Buffalo, and I hope you use their banking services. I also stepped down from the NSA Advisory Board so that I could write openly, publish more freely, and devote the proper amount of time required for this research. That government board included an awesome group of amazing volunteers and civil servants – and I wish each of them well.

My academic affiliations remain intact, albeit perhaps more intense. I continue to teach two courses per year in a massive lecture hall to about two-hundred graduate students at the Stevens Institute of Technology annually. I’ve also accepted a position as a Research Professor at NYU, where I focus on cooperative learning, government-funded research, and cyber awareness events for executives. Finally, I continue to serve as a Senior Advisor to the Applied Physics Lab at Johns Hopkins University, where I support a group of ridiculously smart technologists.

Anyway, enough about me: It’s time that you dive into this 2018 TAG Cyber Security Annual: Volume 1 – Outlook for Fifty Cyber Security Controls. As you read the book, my advice is to use the Feynman self-summarization technique to absorb the material using a sharpened Ticonderoga, a fresh lined pad, and an open mind. I hope this book is useful to you.

Dr. Edward G. Amoroso

(All three volumes of the 2018 TAG Cyber Security Annual are available now for free PDF download at