Keith McCammon was a technologist first and security guru second. He has never received any formal training in cybersecurity; but a love of technology and pleasure in solving puzzles naturally led into the subject, learning on the journey.
Red Canary background
Kyrus Tech, now owned by Sixgen, was the source of both Carbon Black and Red Canary (now a Zscaler company).
Kyrus developed Endpoint Detection and Response (EDR) technology, and in 2011 formed Carbon Black as a wholly owned subsidiary – effectively a Kyrus business unit – focusing on EDR. By 2013, it was clear that many EDR customers needed additional assistance on handling the issues detected by Carbon Black.
Initially, this was handled in-house, but in 2014, Red Canary was spun out of Kyrus as an independent company to provide MDR on top of Carbon Black’s EDR. The firm was founded by Brian Beyer (CEO), Chris Rothe (CTO), and Keith McCammon (CSO). Kyrus contributed to Red Canary’s initial seed funding.
In the same year, Bit9 acquired the EDR business from Kyrus, and two years later rebranded itself as Carbon Black. This Carbon Black was acquired by VMware in 2019 (becoming VMware Carbon Black), which was then acquired by Broadcom in 2023 and integrated into the Broadcom Symantec assets in 2024.
Red Canary continued as a separate company for more than a decade, but was acquired by Zscaler in deal that closed in August 2025.
Both ‘carbon black’ and ‘red canary’ are metaphors. Carbon black is a form of carbon that can be added to different materials providing deep, uniform integration and increased strength. Red canary invokes the canaries that were once taken into coal mines to provide early warning, and provoke a requirement for evasive action, if a threat (toxic gases) were present.
Keith McCammon’s career path
McCammon didn’t choose a career in cybersecurity. In his own words, he just “happened upon it”.
Like many security professionals, he came across computers early in life. His father worked at Bell Labs and his brother was keenly interested in computers. But he wasn’t.
“Growing up, I only started using them somewhat under duress.” At school, he needed a job. He wanted to be a lifeguard, or to work in a gym. “They stuck me in a basement computer lab. That was my first exposure to any meaningfully sized computer with a whole bunch of users.”
It was all new and he had neither experience nor training; but he dug in and tried to learn on the job. Two things emerged: he realized that he liked technology, and he loved solving problems. He had been thrown in at the deep end, but found he enjoyed computer systems and networking.
After school, and with some knowledge of networking, he started working in telecom during the dot-com boom. It wasn’t cybersecurity, because that hardly existed and was only just beginning to emerge. Martin Roesch’s Snort was new, and Sourcefire hadn’t yet been founded – but cybersecurity threats were increasingly apparent and starting to cause problems.
“I kept finding that the really hard and interesting problems would be sent to someone else to solve. I wanted to be that someone else. I found the complexity, the challenge and the adversarial nature of cybersecurity intriguing.” As was his wont, he taught himself and learned on the job. “That was really my journey – from building networks, understanding that they were being misused, and then trying to figure out how we could get our heads wrapped around that.”
But it is only the first part of the journey. He now understood technology and the concept of cybersecurity, but he still had an interest in deep problem solving and the adversarial aspect of cybersecurity. It is no surprise that he would become interested in aspects of national security and the problem of elite nation-state hackers. He moved on to work first at ManTech and later at Kyrus Tech.
ManTech is a US defense contractor specializing in cybersecurity and advanced technology solutions for government agencies. It says of itself, “ManTech cyber experts research, develop and deliver innovative full-spectrum cyber mission capabilities that allow our clients to Deny, Defend and Dominate in support of Cyberspace Superiority.” ManTech gave McCammon experience of offensive cyber operations as well as an understanding of how elite nation state adversaries go about their daily job.
Kyrus Tech was somewhat similar to ManTech, being founded by former ManTech employees. But it was fundamentally a software development company with a specialty in reverse engineering, data science, and advanced security solutions – and a culture of promoting original thinking among its employees. It was this culture that led to Carbon Black and the subsequent Red Canary spin out initially designed to maximize the leverage of Carbon Black’s telemetry. Red Canary was founded by three Kyrus employees, including McCammon.
McCammon says he ‘happened upon’ cybersecurity. It is tempting to suggest he was also guided by the Norns into it, and onward to Red Canary.
On being a security leader
McCammon has had no formal training in cybersecurity and has no academic qualifications in either computing or security. “Not one,” he said. Has it held back his career? “I don’t think so. While I lack an academic background, I’ve encountered a series of mentors who took the time to teach me. So, it hasn’t held me back, but nor have I succeeded because I’m brilliant. It’s just the combination of working with a series of incredible individuals together with my own determination and obstinance. My path took me into defensive and offensive areas of national security, and I was exposed – by chance – to an incredible set of folks who I’ve now worked with for the last 20 years.”
This begs a question. Since he has been both involved in defensive and up close with offensive security, should a cybersecurity leader be a hacker at heart? “There’s very little downside to that,” he said.
He doesn’t think of himself as a hacker, but considering his career and attitudes, it’s clear he has the mindset of a hacker. He certainly accepts that key characteristics of hackers are mission focus, inquisitiveness, and “more than anything else, just an unwillingness to give up until you achieve your objective.” That sounds remarkably like Keith McCammon.
His work has included offensive cybersecurity, including signals intelligence while being grounded in a national security mission. When we do it, it is signals intelligence (SIGINT); when they do it, it is cyber spying (espionage). At the same time, his defensive training pitted him against the elite hackers of nation state APTs. So, he has the advantage of knowing how hackers work, and how they can be stopped.
“Most organizations aren’t facing the type of adversary that we have on the national security side. Most organizations aren’t going to wake up in the morning and be staring down an apex adversary from one of the best teams from a nation-state. That’s not the reality of most breaches – but understanding how that happens and the methodical nature of cybersecurity intrusions, particularly by professionals who we think of as bad guys but they’re just doing their job… well, it’s been beneficial to me to have that experience and perspective.”
It has helped him, but he doesn’t think it’s essential or even always an advantage. “I think it would be hard to walk into a CISO role as a guns blazing hacker where all your experience is ripping things apart. That’s useful for understanding how people break into things, but it may miss a deep understanding of how enterprise systems are built and how they communicate – and all the constraints, the human factors, the risk factors, the budget factors. There’s a wide range of skills needed by the CISO, which is one of the most vertically integrated jobs I’ve ever come across. You need a good enough understanding of the hacker mindset, mentality and abilities; you need a good enough understanding of enterprise IT; you need to be a great communicator; and have a good mastery of the economics of the business you’re in.”
This vertical integration is a key factor in the fluidity of CISO churn. CISOs in large organizations tend to stay in the position for many years. Not so with smaller companies, where turnover is rapid, and tenure is short. There are four primary reasons for this: stress and burnout; a move to a better company with more resources, authority and remuneration; being scapegoated and sacked for a breach; and the job being eliminated through acquisition by a larger company that doesn’t need two CISOs.
“It’s the nature of the job,” explained McCammon. “When a CISO walks into a new job, from his first day, he or she already knows that the last day might be sooner than expected. There’s a ton of organizational dynamics in the work, and it’s adversarial by nature.” Sometimes the adversary is in-house – a finance manager seeking to reduce or limit the security budget, or business leaders demanding something that simply is not and cannot be secure, or staff that will not or cannot follow security guidelines. There is an inescapable element of Janus in the CISO.
A CISO may do a good job of securing the business while remaining insecure in the position. But that, said McCammon, is simply the nature of the job. What then, is the best personality or character trait that could help a CISO navigate such a complex, stressful, and tenuous position? McCammon offers two.
“Firstly, the ability to communicate,” he said. It may seem unrelated to the problems of security, but it is directly related to the solution of any problem. “Being a good thinker and communicator, and in particular, being a skilled writer, I think is critically important.”
But secondly, and even more important, is the ability to remain calm. “The single most important quality in a security leader is the ability to remain calm in a stressful situation,” he said. Kipling said similar years ago (with my apologies to all of today’s women leaders), “If you can keep your head when all about you are losing theirs and blaming it on you; if you can trust yourself when all men doubt you, but make allowance for their doubting too… you’ll be a man, my son.” Kipling wasn’t writing about CISOs – but what he wrote is well-matched to the modern role.
Industry Advice
Advice received from mentors is a key part of any career development. For McCammon, it isn’t simply advice but what you learn from experience and how you use that learning that is important. In effect, the advice was learned by observation of his many mentors. “I was working in the national security space with 60 or 70 facilities, with staff in all of them. I had led teams before, although this was the largest, and the stakes were very high.” He was facing an onslaught of nation state activity and needed extra leverage.
“I realized that sometimes you could be the proverbial smartest person in the room, but that doesn’t help you solve problems. What you really need is the ability to delegate effectively.” He had seen this in an earlier mentor. It’s not a case of telling someone what to do but trusting that they know and will do what needs to be done. The leader should teach principles and then trust team members to make their own decisions on fulfilling these principles.
“No one learns by just being told what to do and doing it. People learn by making their own decisions, making their own mistakes – and that’s where growth comes from.”
Pressed on whether he would offer any specific advice to others, he thought for a while and then said, “Be positive. Fight the nihilistic attitude around cybersecurity.” This is typified in the often quoted, ‘it’s not if, but when you are breached’. “I tell every new hire into Red Canary, ’The best way to complain is to make things’,” quoting the legendary Grace Hopper, developer of the world’s first nascent compiler for the UNIVAC computer.
“If you’re not successful or have a problem, you could complain about not having the people or tools you need. Or you could take a step back, stop complaining, and make something to make it work. Rather than getting dejected or upset because things like your organization or cybersecurity or the world aren’t working the way you think they should, go make something to make it work. Like build a little tool or build a program or teach people all the things that you wish you had been taught.”
It’s something he wishes he’d learned earlier in his career. “I absolutely went through the troughs of multiple disillusionment… this is never gonna work, we’re never gonna win. But just keeping your head up and remaining positive creates a virtuous cycle – and makes you the sort of person you’d like to talk to and have in your corner in a crisis.”
Perhaps we should adapt his advice to, “Be proactively positive.”
Current threats
It is usual to consider the major threats are the more active malware types, like ransomware, wipers, or infostealers. McCammon takes a different view. “Ransomware is a consequence – the realization of a bunch of other threats. I think, hands down, the most concerning trend is how things like ransomware happen,” he suggested.
The biggest threat is the versatility and increasing professionalism of the adversary. McCammon cites ClickFix as an example. “Instead of jumping through hoops to defeat all the security controls implemented by the target – just to deliver a phishing email – the adversary uses silent malvertising or a drive-by to engineer the user into inviting him in.”
This approach is ingenious and much more effective than the blaring, flashing warnings that ‘malware has been detected’ and you must click this link to get rid of it. The latter uses the emotional trigger of fear (but without trust), while ClickFix uses trust without fear.
This versatility in learning what works, coupled with the growth of crime-as-a-service spreading the availability of new techniques rapidly throughout the criminal ecosphere, is a bigger threat than individual malicious payloads. The payloads are the consequences of the real threat, the professionalization of cybercrime and the creativity of cyber criminals.
Related: CISO Conversations: Maarten Van Horenbeeck, SVP & CSO at Adobe
Related: CISO Conversations: Kevin Winter (Deloitte) and Richard Marcus (AuditBoard)
Related: CISO Conversations: Julien Soriano (Box) and Chris Peake (Smartsheet)
Related: CISO Conversations: Jaya Baloo From Rapid7 and Jonathan Trull From Qualys
