The CISO journey : life lessons and concepts to

accelerate your professional development 1st

Edition Eugene M Fredriksen download

https://textbookfull.com/product/the-ciso-journey-life-lessons-
and-concepts-to-accelerate-your-professional-development-1st-
edition-eugene-m-fredriksen/

Download more ebook from https://textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit textbookfull.com
to discover even more!

The M&A Formula: Proven tactics and tools to accelerate

your business growth 1st Edition Peter Zink Secher

https://textbookfull.com/product/the-ma-formula-proven-tactics-
and-tools-to-accelerate-your-business-growth-1st-edition-peter-
zink-secher/

Journey across the life span human development and

health promotion Daphne Taylor

https://textbookfull.com/product/journey-across-the-life-span-
human-development-and-health-promotion-daphne-taylor/

The Linux DevOps Handbook: Customize and scale your

Linux distributions to accelerate your DevOps workflow
Wojs■aw

https://textbookfull.com/product/the-linux-devops-handbook-
customize-and-scale-your-linux-distributions-to-accelerate-your-
devops-workflow-wojslaw/

Money Lessons : How to Manage Your Finances to Get the

Life You Want Lisa Conway-Hughes

https://textbookfull.com/product/money-lessons-how-to-manage-
your-finances-to-get-the-life-you-want-lisa-conway-hughes/
Yoga Mind Journey Beyond the Physical 30 Days to
Enhance your Practice and Revolutionize Your Life From
the Inside Out Suzan Colon

https://textbookfull.com/product/yoga-mind-journey-beyond-the-
physical-30-days-to-enhance-your-practice-and-revolutionize-your-
life-from-the-inside-out-suzan-colon/

Core Light Healing My Personal Journey and Advanced

Healing Concepts for Creating the Life You Long to Live
Barbara Brennan

https://textbookfull.com/product/core-light-healing-my-personal-
journey-and-advanced-healing-concepts-for-creating-the-life-you-
long-to-live-barbara-brennan/

Guide to Software Development Designing and Managing

the Life Cycle Arthur M. Langer

https://textbookfull.com/product/guide-to-software-development-
designing-and-managing-the-life-cycle-arthur-m-langer/

The Dissertation Journey A Practical And Comprehensive

Guide To Planning Writing And Defending Your
Dissertation Carol M. Roberts

https://textbookfull.com/product/the-dissertation-journey-a-
practical-and-comprehensive-guide-to-planning-writing-and-
defending-your-dissertation-carol-m-roberts/

The Brand Mapping Strategy Design Build and Accelerate

Your Brand Karen Leland

https://textbookfull.com/product/the-brand-mapping-strategy-
design-build-and-accelerate-your-brand-karen-leland/
 The CISO Journey
Life Lessons and Concepts to Accelerate
Your Professional Development
 Internal Audit and IT Audit
Series Editor: Dan Swanson
A Guide to the National Initiative Mastering the Five Tiers
for Cybersecurity Education (NICE) of Audit Competency:
Cybersecurity Workforce Framework (2.0) The Essence of Effective Auditing
Ann Butera
Dan Shoemaker, Anne Kohnke, and Ken Sigler
ISBN 978-1-4987-3849-1
ISBN 978-1-4987-3996-2
Operational Assessment of IT
A Practical Guide to Performing Steve Katzman
Fraud Risk Assessments ISBN 978-1-4987-3768-5
Mary Breslin
Operational Auditing: Principles and
ISBN 978-1-4987-4251-1 Techniques for a Changing World
Hernan Murdock
Corporate Defense and the Value
ISBN 978-1-4987-4639-7
Preservation Imperative:
Bulletproof Your Corporate Securing an IT Organization through
Defense Program Governance, Risk Management, and Audit
Ken E. Sigler and James L. Rainey, III
Sean Lyons
ISBN 978-1-4987-3731-9
ISBN 978-1-4987-4228-3
Security and Auditing of Smart Devices:
Data Analytics for Internal Auditors Managing Proliferation of
Richard E. Cascarino Confidential Data on Corporate
ISBN 978-1-4987-3714-2 and BYOD Devices
Sajay Rai, Philip Chukwuma, and Richard Cozart
Fighting Corruption in a Global ISBN 978-1-4987-3883-5
Marketplace: How Culture, Geography,
Software Quality Assurance:
Language and Economics Impact Audit and Integrating Testing, Security, and Audit
Fraud Investigations around the World Abu Sayed Mahfuz
Mary Breslin ISBN 978-1-4987-3553-7
ISBN 978-1-4987-3733-3
The CISO Journey:
Investigations and the CAE: Life Lessons and Concepts to Accelerate
Your Professional Development
The Design and Maintenance of an
Gene Fredriksen
Investigative Function within Internal Audit ISBN 978-1-138-19739-8
Kevin L. Sisemore
ISBN 978-1-4987-4411-9 The Complete Guide to
Cybersecurity Risks and Controls
Internal Audit Practice from A to Z Anne Kohnke, Dan Shoemaker,
Patrick Onwura Nzechukwu and Ken E. Sigler
ISBN 978-1-4987-4054-8
ISBN 978-1-4987-4205-4
Cognitive Hack: The New Battleground in
Leading the Internal Audit Function Cybersecurity ... the Human Mind
Lynn Fountain James Bone
ISBN 978-1-4987-3042-6 ISBN 978-1-4987-4981-7
 The CISO Journey
Life Lessons and Concepts to Accelerate
Your Professional Development

Gene Fredriksen
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742

© 2017 by Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works

Printed on acid-free paper

International Standard Book Number-13: 978-1-138-19739-8 (Hardback)

This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apolo-
gize to copyright holders if permission to publish in this form has not been obtained. If any copyright
material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, trans-
mitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereaf-
ter invented, including photocopying, microfilming, and recording, or in any information storage or
retrieval system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, please access www.copyright​
.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the
CCC, a separate system of payment has been arranged.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are
used only for identification and explanation without intent to infringe.

Library of Congress Cataloging‑in‑Publication Data

Names: Fredriksen, Gene, author.

Title: The CISO journey : life lessons and concepts to accelerate your professional
development / Gene Fredriksen.
Description: Boca Raton, FL : CRC Press, 2017.
Identifiers: LCCN 2016043407 | ISBN 9781138197398 (hb : alk. paper)
Subjects: LCSH: Chief information officers. | Computer security. | Computer
networks--Security measures. | Data protection.
Classification: LCC HF5548.37 .F735 2017 | DDC 658.4/78--dc23
LC record available at https://lccn.loc.gov/2016043407

Visit the Taylor & Francis Web site at

http://www.taylorandfrancis.com

and the CRC Press Web site at

http://www.crcpress.com
Contents

List of Figures.................................................................................................xi
List of Tables................................................................................................ xiii
Prologue......................................................................................................... xv
Foreword.......................................................................................................xix
Acknowledgments.........................................................................................xxi
Author........................................................................................................ xxiii

Section I INTRODUCTION AND HISTORY

1 Introduction: The Journey.......................................................................3
2 Learning from History?...........................................................................5
3 My First CISO Lesson: The Squirrel.......................................................9
The Big Question: How Did I End Up in Info Security?............................10

Section II THE RULES AND INDUSTRY DISCUSSION

4 A Weak Foundation Amplifies Risk......................................................15
Patching: The Critical Link….....................................................................19
It’s about More Than Patching....................................................................21
Patching Myth One...............................................................................21
Patching Myth Two...............................................................................22
Patching Myth Three.............................................................................22
Patching Myth Four...............................................................................22
Scanning Required!....................................................................................23
Misconception One................................................................................23
Misconception Two................................................................................24
Misconception Three..............................................................................24
Misconception Four...............................................................................24
Misconception Five................................................................................25
Environment Control.............................................................................26
Tracking IT Assets.................................................................................26

v
vi ◾ Contents

Risk Management..................................................................................27
Key Questions to Ask.............................................................................33
5 If a Bad Guy Tricks You into Running His Code on Your
Computer, It’s Not Your Computer Anymore........................................39
Worms, Trojans, and Viruses: What’s in a Name?......................................41
Myth One..............................................................................................41
Myth Two............................................................................................. 42
Myth Three........................................................................................... 42
Myth Four.............................................................................................43
Myth Five...............................................................................................43
Myth Six............................................................................................... 44
Myth Seven........................................................................................... 44
Myth Eight............................................................................................45
Myth Nine.............................................................................................45
Myth Ten (and My Personal Favorite)................................................... 46
Attack Types Are Wide-Ranging............................................................... 46
Social Engineering......................................................................................47
6 There’s Always a Bad Guy Out There Who’s Smarter,
More Knowledgeable, or Better-Equipped Than You............................49
What about Your People?............................................................................56
Plan for the Worst.......................................................................................58
Not All Alerts Should Be Complex.............................................................61
What about Wireless?.................................................................................61
Context-Aware Security..............................................................................63
Suggested Reading..................................................................................... 64
7 Know the Enemy, Think Like the Enemy..............................................65
Monitoring What Leaves Your Network Is Just as Important as
Monitoring What Comes In: Introducing the “Kill Chain” Methodology....73
Stack the Deck in Your Favor.....................................................................78
Picking the Right Penetration Test Vendor.................................................79
How Should Penetration Testing Be Applied?.............................................79
Selecting a Vendor......................................................................................80
8 Know the Business, Not Just the Technology........................................83
The Role of Risk Management within the Enterprise................................. 84
Separation of Duties...................................................................................86
Is There an Overlap between Legal, Compliance, and Human Resources?.... 90
A Model Structure......................................................................................91
Risk Management/Organizational Management Interaction......................92
Executive Steering Committee...............................................................93
Information Security Officer Committee...............................................93
 Contents ◾ vii

Information Security Department Staffing.................................................94

The Compliance Arm of the CISO Office..................................................96
Security Operations and Engineering.........................................................96
User Access and Administration.................................................................97
Advice for the New CISO...........................................................................98
Tying Your Goals and Objectives to Company Goals...............................101
Conclusion................................................................................................102
9 Technology Is Only One-Third of Any Solution..................................103
Let’s Look at Risk Management and the People, Process,
and Technology Methodology..................................................................104
Safe Harbor Principles..............................................................................106
Prevent.................................................................................................109
Detect.................................................................................................. 110
Respond............................................................................................... 110
Recover................................................................................................112
10 Every Organization Must Assume Some Risk.....................................115
No Is Seldom the Answer......................................................................... 117
Strive for Simplicity..................................................................................120
Risk Planning Is Just as Important as Project Planning............................121
Dealing with Internal Audit.....................................................................125
The Work..................................................................................................127
11 When Preparation Meets Opportunity, Excellence Happens.............129
End-User Training and Security Awareness..............................................130
Flashback to High School Memories… ....................................................132
Training Methods.....................................................................................132
New Hire Training...................................................................................133
Awareness Seminars..................................................................................135
Security Policy..........................................................................................143
Roles and Responsibilities.........................................................................144
Company Board and Executives...........................................................144
Chief Information Officer.................................................................... 145
Information Technology Security Program Manager........................... 145
Managers.............................................................................................. 145
Users....................................................................................................146
Formal Training.......................................................................................147
Brown Bag Lunches..................................................................................147
Organizational Newsletters.......................................................................148
Awareness Campaigns...............................................................................148
Tests and Quizzes.....................................................................................149
Funding the Security Awareness and Training Program...........................149
Summary..................................................................................................150
viii ◾ Contents

12 There Are Only Two Kinds of Organizations: Those That Know

They’ve Been Compromised and Those That Don’t Know Yet............155
Loss Types................................................................................................ 158
Consequences of Loss............................................................................... 158
How Can DLP Help?............................................................................... 158
Prevention Approach................................................................................ 159
PCI DSS Credit Card Guidelines......................................................... 159
Guidelines............................................................................................160
Credit Card Processing Procedures...................................................... 161
Employee Loyalty Is a Factor....................................................................162
What Can You Do?..................................................................................167
13 In Information Security, Just Like in Life, Evolution Is Always
Preferable to Extinction......................................................................169
Security Strategic Planning.......................................................................171
The Planning Cycle...................................................................................172
Foundation/Strategy.................................................................................172
Assessment and Measurement...................................................................172
Key Risk Identification.............................................................................173
Develop the Strategic Plan........................................................................ 174
Process Inputs......................................................................................175
Money, Money, Money… ....................................................................179
Capital Expenditures.......................................................................179
Operational Expenses......................................................................179
14 A Security Culture Is In Place When Talk Is Replaced with Action......181
Introduction............................................................................................. 181
Training....................................................................................................183
Basics........................................................................................................185
Technology...............................................................................................187
Data Security............................................................................................188
Productivity..............................................................................................190
Communication.......................................................................................192
E-mail.......................................................................................................195
Morale......................................................................................................196
Metrics and Measures...............................................................................197
Workplace.................................................................................................198
Conclusion............................................................................................... 200
15 NEVER Trust and ALWAYS Verify.....................................................203
Trust Your Vendors: Home Depot............................................................207
Nervous about Trusting the Cloud?..........................................................209
Does Your System Encrypt Our Data while They Are Stored
on Your Cloud?....................................................................................210
 Contents ◾ ix

Does the Provider Have a Disaster Recovery Plan for Your Data?........210
Don’t Confuse Compliance with Security............................................ 211
Has the Potential Vendor Earned Certifications for Security
and Compliance That Can Provide Assurance of Their Capabilities?.... 211
What Physical Security Measures Are in Place at the Supplier’s
Data Centers?.......................................................................................212
Where Are My Data Being Stored?......................................................212
Vendor Oversight Program Basics.............................................................213
Internal Trust...........................................................................................213

Section III SUMMARY
16 My Best Advice for New CISOs...........................................................221
Talking to the Board.................................................................................223
Appendix A: The Written Information Security Plan..................................225
Appendix B: Talking to the Board...............................................................241
Appendix C: Establishing an Incident Response Program..........................253
Appendix D: Sample High-Level Risk Assessment Methodology................273
Index............................................................................................................279
http://taylorandfrancis.com
List of Figures

Figure 1.1 Threat cycle.......................................................................................4

Figure 4.1 Elements versus functions...............................................................17
Figure 4.2 Support life cycle............................................................................19
Figure 4.3 Patching..........................................................................................20
Figure 4.4 OSI layers.......................................................................................25
Figure 4.5 Risk matrix.....................................................................................29
Figure 6.1 My dad invents “defense in depth”.................................................50
Figure 7.1 What the bad guys want..................................................................69
Figure 7.2 Rising sophistication.......................................................................70
Figure 7.3 Attack frequency.............................................................................72
Figure 7.4 Kill chain........................................................................................75
Figure 8.1 Balance...........................................................................................86
Figure 8.2 Risk versus organizational pressures................................................87
Figure 8.3 Risk management organization.......................................................91
Figure 8.4 Information Security Executive Council.........................................93
Figure 8.5 Information Security Officer Committee........................................94
Figure 8.6 Office of the Chief Information Security Officer............................95
Figure 8.7 RACI..............................................................................................99
Figure 8.8 Program goals...............................................................................102
Figure 9.1 People, technology, process...........................................................108
Figure 9.2 Resiliency......................................................................................109

xi
xii ◾ List of Figures

Figure 9.3 Controls versus risk areas..............................................................113

Figure 10.1 Risk versus means....................................................................... 117
Figure 10.2 Risk versus means (2).................................................................. 119
Figure 10.3 Keep it simple.............................................................................121
Figure 11.1 Awareness poster.........................................................................148
Figure 13.1 Security strategy..........................................................................173
Figure 13.2 Security plan............................................................................... 174
Figure 13.3 Compliance program goals......................................................... 176
Figure 13.4 Investment priorities...................................................................177
Figure 13.5 Impact versus effectiveness..........................................................178
Figure A.1 Business continuity.......................................................................237
Figure B.1 Board engagement........................................................................247
Figure B.2 Board framework..........................................................................248
Figure B.3 Cost of a breach............................................................................251
Figure C.1 CSIRT organization chart............................................................259
Figure C.2 Notification process.....................................................................261
Figure C.3 Six stages of CSIR....................................................................... 264
Figure C.4 Incident RACI.............................................................................270
Figure D.1 Risk assessment............................................................................274
Figure D.2 Risk assessment matrix................................................................277
List of Tables

Table 15.1 Trust............................................................................................. 215

Table 15.2 Trust with value............................................................................ 215
Table C.1 Security level classifications............................................................267
Table C.2 Contact information..................................................................... 268
Table D.1 Overall risk....................................................................................278

xiii
http://taylorandfrancis.com
Prologue

Gaining Wisdom along the Journey

Ask anyone in the cybersecurity industry and they’ll tell you that there’s a stagger-
ing shortage of talent entering the field. This is happening at a time when informa-
tion security is more critical than ever before in underpinning the successful and
ongoing business operations of organizations everywhere.
As we continue to experience a relentless succession of cyberattacks unleashed
on both private- and public-sector organizations, government and executive lead-
ers alike are becoming increasingly aware of just how crucial their information
security postures are to their mere subsistence. Standing at the forefront of the
charge to make cybersecurity initiatives a way of life for businesses everywhere are
the professionals who are tasked with not only trying to thwart current or future
onslaughts but also identifying a throng of vulnerabilities within their infrastruc-
tures that could lead to additional attacks or result in penalties against their compa-
nies because of noncompliance with a bevy of industry and government mandates.
These and still other problematic information security issues, such as the adop-
tion by organizations of the newest technologies or the ever-changing ways people
engage with businesses today, which are all rife with weaknesses and appealing
attack surfaces, have spurred a desperate need for organizations to employ qualified
information security professionals at every level—from IT security analysts and
architects to risk and compliance directors to Chief Information Security Officers
(CISOs). Such practitioners have far-reaching roles that must see them build, main-
tain, and continuously update holistic risk management and compliance strategies
and day-to-day tactics that account for internal- and external-facing operations and
policies.
In other words, cybersecurity and privacy needs are acutely evident to growing
numbers of professional leaders and everyday citizens. Yet, the resources, budget,
and qualified practitioners required to adequately address these apparent necessities
remain disproportionate to the assortment of today’s security challenges. Perhaps,
too, the basic understanding of what now is essentially a condition of not only
conducting business but also simply living day to day is still being lost on some

xv
xvi ◾ Prologue

individuals and groups who are poised to set powerful examples of how cybersecu-
rity must be integrated into pretty much every aspect of our lives.
According to a recent study undertaken by Intel Security in partnership with
the Center for Strategic and International Studies, 76% of corporate IT leaders
involved in cybersecurity decision-making who participated in the research said
their respective governments are failing to invest enough in building specialized
talent. Based on interviews with some 900 IT decision-makers from organizations
with at least 500 employees situated in a range of countries (including the United
States and seven others), a meager 23% said educational programs are actually pre-
paring students to enter the industry. More than half stated that the cybersecurity
skills shortage is worse than those faced by other IT professions.
Yet the scarcity of qualified pros has become a more prominent political focal
point for some in the last couple of years, prompting the likes of our own President
Obama and other countries’ leaders to urge greater support for the information
security field and its professionals’ growth and development. Even with a few prom-
ising proposals underway, however, they couldn’t happen soon enough given that
about 70% of the research participants said the current talent shortage is causing
direct, measurable harm to their networks. In fact, one in four admitted that their
businesses have lost proprietary or critical data because of the dearth of cybersecu-
rity skills on hand within their organizations.
What’s needed, they explained further, is some hearty on-the-job training,
which takes precedent over a mere university degree, though individuals looking
for a role in their companies must have formal educational credentials to garner
any serious consideration. Also, more vigorous continuous education, engaging
instructional opportunities and nontraditional methods of learning, such as hands-
on exercises, hackathons, and more, likely would prove an additional boost to
strengthening the talent pool.
In this regard, information security industry conferences and events—especially
those boasting more varied and practical learning experiences—have become more
vital and, as a result, well attended by seasoned pros and newbies alike. For Gene
Fredriksen, these gatherings are a pretty decent barometer in revealing how the
industry is changing and what long-time, more-seasoned leaders like him, a group he
calls “the first generation of CISOs,” can do to help it continue to thrive and evolve.
Mentoring, as he notes in the following pages of this book, is a main component
crucial to the ongoing development of this marketplace and the people in it. And
this happens not only at a variety of industry events, but also is critical on the job.
“As I move further into my career, my focus is on evangelism and helping to
drive the overall profession further. Part of that is helping peers explain complex
issues clearly to the E-suite (executive suite),” he explained to me in an e-mail
exchange last year. “It’s all about passing the torch and leaving things better as the
first generation of CISOs begins to retire.”
He called out some signs of this metamorphosis when attending one of the
longest-standing industry events, the RSA Conference, last year. As he looked
 Prologue ◾ xvii

around at others hitting the show, he remembered thinking: “When did they start
allowing 12-year-olds on the exhibit floor? I can’t believe I got my first full-time
infosec job in 1989.”
But it’s that experience starting in the field right when it was only at the extreme
early stages of any real, well-formed profession that has enabled him to pick up
many a lesson along the way, study with varied and experienced mentors, make and
learn from mistakes, hone and grow his technical and leadership skills, and develop
and refine a robust information security philosophy. Enlisting all this know-how,
he has found himself over the years establishing and managing both cybersecurity
plans and departments for global organizations that often had neither when he
started there. Really, as an infosec pioneer, his own vocational beginning was just
as fledgling as the cybersecurity industry itself; he played an indispensable role
alongside others like him to drive and mold what it meant to create, propel, and
oversee an information security strategy and the teams and divisions supporting it.
After I met Gene around 2003 or so, he asked that I come to St. Petersburg,
Florida, to participate in a conference he had organized at the long-standing
financial services company Raymond James where he worked at the time as the
company’s first CISO. The roster was stellar, having other leading industry practi-
tioners like him speaking alongside cybersecurity specialists from the likes of the
FBI, DHS, and others. That I was asked to participate was an honor, especially
given that our first engagement was impelled by a disagreement over some topic or
another that I covered in one of my commentaries. Gene recalls contacting me with
his differing thoughts.
“The following month, you put a follow-up [in another commentary] saying
that Gene Fredriksen of Raymond James didn’t completely agree with your views
and passed them along. Shortly after that we talked and it’s been a great relation-
ship ever since,” he recalls.
And it has. His professionalism, thoughtfulness, and combination of both tech-
nical prowess and business acumen saw his career blossom over the years. From
Raymond James, he moved to IT industry research and analysis company Burton
Group, which was acquired by Gartner in recent years, to become one of their
leading industry analysts. After that, he was off to security systems giant Tyco
International where he created their global cybersecurity strategy and division,
thereby helping to advance the security of both internal operations and external
product offerings. And, currently, he is CISO for financial services firm PSCU,
which provides both traditional and online assistance to more than 800 credit
unions. All the while, he has contributed columns to SC Magazine and scmagazine​
.com, spoken at our events—both live and online, participated on our Editorial
Advisory Board, and been a cover story subject who shared his thoughts on threat
intelligence gathering and kill chain processes to support information security
strategies and initiatives. More than that, though, he has provided much-welcome
guidance to me as my team and I navigated the industry to ensure that our brand
was always improving and always meeting the needs of CISOs like him.
xviii ◾ Prologue

Mentoring—not only does he advocate it in the pages of this book, but he

engages in it every single day with folks like me, his staff, colleagues, and, of course,
his own kids. And he reminds us all that we should embrace opportunities to guide,
educate, and welcome both new talent, whether they’re just starting their careers
or making transitions from others, to continue driving the overall industry, the
profession itself, and ourselves ever forward.
“Much of what we do as CISOs or security professionals is based on our experi-
ences and the lessons we have learned over the years,” he states in his introduction
to this book. “Mentorship is a critical part of the development of our skills.”
He couldn’t be more accurate. And what he provides here in The CISO Journey
are outcomes from some of those learning moments he has experienced over his
career, the challenges along the way that helped him to continue to progress profes-
sionally and personally, and the “rules of information security” that he has modi-
fied from peers or shaped and sharpened himself. Infused with a little humor along
the way—because seeing the laughable side of situations is a trait that can soften
even some of the hardest blows dealt to us all, Gene now presents to you all of his
rules, industry best practices, and sage counsel to aid you on your own journey.

Illena Armstrong
VP, Editorial, SC Magazine

Illena Armstrong is VP, Editorial of SC Magazine, the leading business magazine

for the information security industry, where she manages editorial staff in New
York and Michigan. She is responsible for overseeing the award-winning monthly
publication and its many other editorial offerings, including scmagazine.com, the
SC Magazine Canada monthly digital editions, numerous eConferences, webcasts,
newsletters, and physical events in the United States and Canada, and more. She
has spoken and moderated at a number of industry events, including SC World
Congress, SC Congress Canada, SC Magazine Roundtables, the RSA Conference,
the Techno Security Conference, and others. On her watch, SC Magazine has won
more than 20 awards, including Magazine of the Year 2009, from the American
Society of Business Publication Editors (ASBPE). Before her stint at SC Magazine,
she worked for various newspapers and magazines in New England and the south-
ern United States.
Foreword

Security is a complex subject and an equally complicated problem to solve. Volumes

have been written on the subject, much of which has a rather short half-life given
the rapid change in technology and the creativity of the adversaries we face. Sir
Alfred J. Ayer (1910–1989), a noted English philosopher, once said, “There never
comes a point where a theory can be said to be true. The most that one can claim
for any theory is that it has shared the successes of all its rivals and that it has passed
at least one test which they have failed.” So it is with approaches to security. There
is no absolute solution, just incrementally better ones.
What Gene Fredriksen has offered us is not so much a technical discourse on
security but rather a common sense approach to security based on his years of expe-
rience. He offers approaches that can lead to better solutions and enhanced security.
As Gene once explained to me, “Never get into a fight without the data to back you
up.” This sage and simple advice has helped me throughout the years. It is common
sense that many leaders of today seem to lack or have erroneously supplanted with
technology. Common sense is far more enduring than technology though evidently
more difficult to acquire.
What Gene presents is a sort of Ockham’s Razor for security. Another way to
sum it up is it reflects the KISS principle: keep it simple, stupid. Anyone who has
worked with Gene knows how he avoids complexity, which has served him and
the companies he has worked for well. There are no precise answers offered in this
book to the myriad challenges you may face in your security role. It is more like the
irrational numbers Pi or Phi that offer no precision yet present elegance in their very
existence and application to real world problems.

Richard D. Lanning, Jr., PhD

Planear, LLC

xix
http://taylorandfrancis.com
Acknowledgments

With special thanks to:

Richard Lanning, PhD: His help was instrumental in the creation of this book.
His ethics, analytical skills, and industry knowledge are a great asset to the
company and me personally. I value his friendship and counsel.
Illena Armstrong, SC Magazine VP and Editor: She has been a longtime source
of support and advice.
Pamela Fredriksen, my wife: Her support and love have kept me “shiny side
up” during this journey. There were many late nights and long trips over the
years and she has always been there for me.
Heather, Jeff, Holly, and Joe, our four children: They have kept life interesting
and rewarding for me. Thanks for your support and inspiration.
Kathy Simpson: Her graphics skills are amazing. Thank you for your invalu-
able help.
Deborah Kobza, CEO of the Global Institute for Cyber Security and Research:
A longtime friend and peer who has influenced my career.
David Bryant, Information Security Officer, PSCU: He has worked with me
at many companies over the last 16 years. Thank God he is patient and long
suffering.
Lori Lucas, Head of Technology Compliance for PSCU: She has also been a
longtime friend and advisor.
Rini Fredette, Enterprise Risk Officer for PSCU: A great peer and an expert in
the area of Enterprise Risk.
Lee Carpella: Instrumental in the editing of this book.
Larry Clinton, CEO of the Internet Security Alliance: An expert in the Cyber
Security Industry and Regulatory space. Larry is a great friend and advisor.
Richard Jacek: He was my first official mentor in industry. I still use many of
the skills he taught me today.

xxi
xxii ◾ Acknowledgments

Brad Anderson: A longtime friend and associate who has helped me shape my
views of technology and the world.
Chuck Fagan, CEO of PSCU: If there was a template for a Security Aware
CEO, it would be Chuck.
Michael Echols, CEO of the International Association for Certified ISAOs:
Mike is an exceptional resource given his broad range of private sector and
government experience.
Israel Martinez, CEO of Axon: A mentor and friend for many years.
Author

Gene Fredriksen, Chief Information Security Officer at PSCU, is responsible for

the company’s development of information protection and technology risk pro-
grams. Gene has more than 25 years of information technology experience, with
the last 20 focused in information security. In this capacity, he has been heavily
involved with all areas of audit and security. Before joining PSCU, Gene held the
positions of CISO for Tyco International, principal consultant for Security and
Risk Management Strategies for Burton Group, vice president of Technology Risk
Management and chief security officer for Raymond James Financial, and infor-
mation security manager for American Family Insurance. Gene is a distinguished
fellow with the Global Institute for Cyber Security and Research, located at the
Kennedy Space Center. He is also the executive director of the newly formed
National Credit Union Information Sharing and Analysis Organization. He was
the chair of the Security and Risk Assessment Steering Committee for BITS,
and served on the R&D committee for the Financial Services Sector Steering
Committee of the Department of Homeland Security. Gene is a distinguished fel-
low for the Global Institute for Cyber Security and Research, headquartered at the
Kennedy Space Center. Gene is a member of the SC Magazine Editorial Advisory
Board and was named one of three finalists for the SC Magazine CISO of the
Year Award in 2015. He served as chair of the St. Petersburg College Information
Security Advisory Board and the Howard University Technology Advisory Board.
He is a member of multiple advisory boards for universities, organizations, and
security product companies. Gene attended the FBI Citizens Academy and main-
tains a close working relationship with both local and federal law enforcement
agencies.

xxiii
http://taylorandfrancis.com
INTRODUCTION I
AND HISTORY

Let’s get started by looking at a little history, both from a personal and an informa-
tion security standpoint. In an era of unprecedented change, sometimes it takes a
look backward to help chart the course forward.
My best advice? Understand where you are before you decide how to get to your goal.
http://taylorandfrancis.com
Chapter 1

Introduction: The Journey

My name is Gene and I’m a long-term cybersecurity guy. In fact, I’m sneaking up
on retirement in a few years. I’m not sure if I should be relieved that I’ve survived or
sad that I will miss the daily challenge. As I reflect on my career as a CISO (Chief
Information Security Officer), it dawned on me that those of us around my age are
really the first generation of those to hold the CISO role. We have seen this career
path morph over the last 20 or so years from a sideline buried in information tech-
nology, to a strategic and visible role. I am excited about what the future holds for
those who succeed me.
I’ve seen all facets of information security change drastically over the years.
There is an old adage from the 1930s that basically said, “Better Bank Vaults Breed
Better Safe Crackers.” It really is a variant on the continuous improvement cycle.
As security technology becomes more robust, those creating ways to circumvent
the security become more technically competent and creative (Figure 1.1). This
continuing spiral means that we can’t become stagnant or complacent. If we do,
we will lose.
I’ve also seen the regulatory and governance side of the CISO job change. Let’s
be honest, when I accepted the first job where Information Security was part of the
title, it was “Manager of Information Security and E-mail.” Even the business was
not sure that this new “information security thing” would be a full-time job. Even
I wondered if technology might solve the whole virus and hacker problem. In the
1980s, there were few regulations about information protection, even in the finan-
cial services sector. Now, negotiating the complexity of overlapping and sometimes
conflicting regulations and laws can be mind-numbing at the least.
Also, to be honest, I thought that as I approached retirement, I would be spend-
ing more time at my desk, directing a great team who would be doing the hard
work. OK, now I know that was completely delusional. Today, I’m working harder
than I have in my life. Whatever rules there are, change daily.

3
4 ◾ The CISO Journey

A new threat
is published

A new
A new threat security
is born control is
created

Attackers
write an
attack to
evade control

Figure 1.1 Threat cycle.

As I thought about what kind of amazing book I would write, I, like many other
CISOs, came up with all sorts of technical and process topics. However, the more I
thought about it, the more it became obvious to me that this was probably not the
right choice.
As CISOs, we are charged with developing protection systems and processes
to protect the data of a specific company. Based in a large part on our experiences,
we design these systems, applying technologies to meet the needs of our business.
There is never a one size fits all. Given that, I’ve decided to share the journey from
mechanical engineer to CISO. The lessons and pearls of wisdom I’ve collected along
the way are what have collectively made me what I am today. Let me absolutely state
that I don’t consider myself the model of the world’s greatest CISO. God knows I’ve
had my share of problems over the years. What I’m hoping to do is share my mis-
takes, experiences, and lessons. Hopefully, you will find one or two of value in this
personal, slightly irreverent look at the evolution of a typical cybersecurity career.
Hopefully, you will see a little of yourself in the following pages.
Exploring the Variety of Random
Documents with Different Content
MOUNT HUNGER, MILL SETTLEMENT, BARTON'S
RIVER, VERMONT, May 19, 1896.

DEAREST PAPA,--Good-morning! I am answering your long letter a

little sooner than I expected to, because I want you to do something
for me in a business way; that's the way March says it must be.
I don't know how to begin to tell you, but I 've joined the
N.B.B.O.O. Society and one of the by-laws is that we must help
others all we can and just as much as we can. I wish you'd been at
the initiashun. (I don't know about that spelling, and I 'm in a hurry,
or I 'd ask.) I had the hand of fellowship from a supposed corpse's
hand first, and then I was branded on the arm. And afterwards they
all took me in, and now we 're raising four hundred chickens to help
others; I 'll tell you all about it when you come. Chi, that's the hired
man, but he is really our friend, took me sitting-hen hunting day
before yesterday, for I am to own some myself; and we drove all
over the hills to the farmhouses and found and bought twelve, or
rather Chi did, for I had to borrow the money of him, as I felt so bad
when I kissed you good-bye that I forgot to tell you my quarterly
allowance was all gone, and I know you won't like my borrowing of
Chi, for you have said so many times never to owe anybody and I've
always tried to pay for everything except when I had to borrow of
Gabrielle, or Mrs. Scott, when I forgot my purse.
But truly the hens were in such an awful hurry to sit, that it did
seem too bad to keep them waiting even three days till I could get
some money from you; and then, too, we 've all of us, March and
Rose and Budd and Cherry and me, bet on which hen would get the
first chicken, and that chicken is going to be a prize chicken and
especially fatted, and of course, if I waited for the money to come
from you, I could n't stand a chance of coming out ahead in our four
hundred chicken race, so I borrowed of Chi. The hens came to just
$4 and eighty cents. I'll pay you back when I earn it, and don't you
think it would have been a pity to lose the chance for the prize
chicken just for that borrow?
Please send the money by return mail. I 've other letters to
write, so please excuse my not paragraphing and so little
punctuation, but I 've so much to do and this must go at once.

Your loving and devoted daughter,

HAZEL CLYDE.

P.S. The hens are sitting around everywhere. Give my love to

Wilkins. H.C.

The Doctor shouted; then he stepped to the dining-room door and

called, "Wifie, come here and bring that letter."
Mrs. Heath came in smiling, with a letter in her hand, which,
after cordially greeting Mr. Clyde, she read to him,--an amazed and
outwitted father.

MOUNT HUNGER, MILL SETTLEMENT, BARTON'S

RIVER, VERMONT, May 19, 1896.

MY DEAR MRS. HEATH,--Please thank my dear Doctor Heath for the

note he sent me two weeks ago. I ought to write to him instead of
to you, for I don't owe you a letter (your last one was so sweet I
answered it right off), but he never allows his patients strawberry
preserve and jam, so it would be no use to ask his help just now, as
this is pure business, March says.
We are trying to help others, and the strawberries--wild ones--
are as thick as spatter--going to be--all over the pastures, and we 're
going to pick quarts and quarts, and Rose is going to preserve them,
and then we 're going to sell them.
Do you think of anybody who would like some of this preserve?
If you do, will you kindly let me know by return mail?
I can't tell just the price, and March says that is a great
drawback in real business, and this is real--but it will not be more
than $1 and twenty-five cents a quart. They will be fine for
luncheon. I never tasted any half so good at home.
My dear love to the Doctor and a large share for yourself from

Your loving friend,

HAZEL CLYDE.

P.S. Rose says it is n't fair for people to order without knowing the
quality, so we 've done up a little of Mrs. Blossom's in some
Homeepatic (I don't know where that "h" ought to come in) pellet
bottles, and will send you a half-dozen "for samples," March says, to
send to any one to taste you think would like to order. H.C.

"The cure is working famously," said Doctor Heath, rubbing his

hands in glee.
"Well," said Mr. Clyde, laughing, "I may as well make the best of
it; but I can't help wondering whether the wholesale grocers in town
have been asked to place orders with Mount Hunger, or the
Washington Market dealers for prospective chickens! There 's your
office-bell; I won't keep you longer, but if this 'special case' of yours
should develop any new symptoms, just let me know."
"I 'll keep you informed," rejoined the Doctor. "Better run up
there pretty soon, Johnny," he called after him.
"I think it's high time, Dick. Good-bye."
At that very moment, a symptom of another sort was
developing in Z---- Hall, Number 9, at Harvard.
Jack Sherrill and his chum were discussing the last evening's
Club theatricals. "I saw that pretty Maude Seaton in the third or
fourth row, Jack; did she come on for that,--which, of course, means
you?"
"Wish I might think so," said Jack, half in earnest, half in jest,
pulling slowly at his corn-cob pipe.
"By Omar Khayyam, Jack! you don't mean to say you 're hit, at
last!"
"Hit,--yes; but it's only a flesh-wound at present,--nothing
dangerous about it."
"She 's got the style, though, and the pull. I know a half-dozen
of the fellows got dropped on to-night's cotillion."
"Kept it for me," said Jack, quietly.
"No, really, though--" and his chum fell to thinking rather
seriously for him.
Just then came the morning's mail,--notes, letters, special
delivery stamps, all the social accessories a popular Harvard man
knows so well. Jack looked over his carelessly,--invitations to dinner,
to theatre parties, "private views," golf parties, etc. He pushed them
aside, showing little interest. He, like his Cousin Hazel, was used to
it.
 The morning's mail was an old story, for Sherrill was worth a
fortune in his own right, as several hundred mothers and daughters
in New York and Boston and Philadelphia knew full well.
Moreover, if he had not had a penny in prospect, Jack Sherrill
would have attracted by his own manly qualities and his
exceptionally good looks. His riches, to which he had been born, had
not as yet wholly spoiled him, but they cheated him of that ambition
that makes the best of young manhood, and Life was out of tune at
times--how and why, he did not know, and there was no one to tell
him.
He had rather hoped for a note from Maude Seaton, thanking
him, in her own charming way, for the flowers he had sent her on
her arrival from New York the day before. True, she had worn some
in her corsage, but, for all Jack knew, they might have been another
man's; for Maude Seaton was never known to have less than four or
five strings to her bow. It was just this uncertainty about her that
attracted Jack.
"Hello! Here 's a letter for you by mistake in my pile," said his
chum.
"Why, this is from my little Cousin Hazel, who is rusticating just
now somewhere in the Green Mountains." Jack opened it hastily and
read,--

MOUNT HUNGER, MILL SETTLEMENT, BARTON'S

RIVER, VERMONT, May 19, 1896.

DEAREST COUSIN JACK,--It is perfectly lovely up here, and I 've

been inishiated into a Secret Society like your Dicky Club, and one of
the by-laws is to help others all we can and wherever we can and as
long as ever we can, and so I 've thought of that nice little spread
you gave last year after the foot-ball game, and how nice the table
looked and what good things you had, but I don't remember any
strawberry jam or preserves, do you?
We 're hatching four hundred chickens to help others,--I mean
we have set 40 sitting hens on 520 eggs, not all the 40 on the five
hundred and twenty at once, you know; but, I mean, each one of
the 40 hens are sitting on 13 eggs apiece, and March says we must
expect to lose 120 eggs--I mean, chickens,--as the hens are very
careless and sit sideways--I 've seen them myself--and so an extra
egg is apt to get chilly, and the chickens can't stand any chilliness,
March says. But Chi, that's my new friend, says some eggs have a
double yolk, and maybe, there 'll be some twins to make up for the
loss.
Anyway, we want 400 chickens to sell about Thanksgiving time,
and, of course, we can't get any money till that time. So now I 've
got back to your spread again and the preserves, and while we 're
waiting for the chickens, we are going to make preserves--dee-
licious ones! I mean we are going to pick them and Rose is going to
preserve them. We 've decided to ask $1 and a quarter a quart for
them; Rose--that's Rose Blossom--says it is dear, but if you could see
my Rose-pose, as Chi calls her, you 'd think it cheap just to eat them
if she made them. She 's perfectly lovely--prettier than any of the
New York girls, and when she kneads bread and does up the dishes,
she sings like a bird, something about love. I'll write it down for you,
sometime. I 'm in love with her.
 Please ask your college friends if they don't want some jam and
wild strawberry preserves. If they do, March says they had better
order soon, as I've written to New York to see about some other
orders.

Yours devotedly,
HAZEL.

P.S. I 've sent you a sample of the strawberry preserve in a

homeepahtic pellet bottle, to taste; Rose says it is n't fair to ask
people to buy without their knowing what they buy. I saw that Miss
Seaton just before I came away; she came to call on me and
brought some flowers. She said I looked like you--which was an
awful whopper because I had my head shaved, as you know; I
asked her if she had heard from you, and she said she had. She is
n't half as lovely as Rose-pose. H.C.

IX
THE PRIZE CHICKEN

There was wild excitement, as well as consternation, in the

farmhouse on the Mountain.
On the next day but one after Hazel had sent her letters, Chi
had brought up from the Mill Settlement a telegram which had come
on the stage from Barton's. It was addressed to, "Hazel Clyde, Mill
Settlement, Barton's River, Vermont," and ran thus:--
CAMBRIDGE, May 20, 1 P.M.
Hope to get in our order ahead of New York time. Seventeen
dozen of each kind. Letter follows.
JACK.

"Seventeen dozen!" screamed Rose, on hearing the telegram.

"Seventeen dozen of each kind!" cried Budd.
"Oh, quick, March, do see what it comes to!" said Hazel.
Then such an arithmetical hubbub broke loose as had never
been heard before on the Mountain.
"Seventeen times twelve," said Rose,--"let me see; seven times
two are fourteen, one to carry--do keep still, March!" But March
went on with:--
"Twelve times four are forty-eight--seventeen times forty-eight,
hm--seven times eight are fifty-six, five to carry--Shut up, Budd; I
can't hear myself think." But Budd gave no heed, and continued his
computation.
"Four times seventeen are--four times seven are twenty-eight,
two to carry; four times one are four and two are--I say, you 've put
me all out!" shouted Budd, and, putting his fingers in his ears, he
retired to a corner. Rose continued to mumble with her eyes shut to
concentrate her mind upon her problem, threatening Cherry
impatiently when she interrupted with her peculiar solution, which
she had just thought out:--
"If one quart cost one dollar and twenty-five cents, twelve
quarts will cost twelve times one dollar and twenty-five cents, which
is, er--twelve times one are twelve; twelve times twenty-five! Oh,
gracious, that's awful! What's twelve times twenty-five, March?"
 "Shut up," growled March; "you 've put me all off the track."
"Me, too," said Rose, in an aggrieved tone.
Mrs. Blossom had been listening from the bedroom, and now
came in, suppressing her desire to smile at the reddened and
perplexed faces. "Here 's a pencil, March, suppose you figure it out
on paper."
A sigh of relief was audible throughout the room, as March sat
down to work out the result. "Eight hundred and sixteen quarts at
one dollar twenty-five a quart," said March to himself; then, with a
bound that shook the long-room, he shouted, "One thousand and
twenty dollars!" and therewith broke forth into singing:--

"Glory, glory, halleluia!

Glory, glory, halleluia!
Glory, glory, halleluia,
For the N.B.B.O.O.!"

The rest joined in the singing with such goodwill that the noise
brought in Chi from the barn. When he was told the reason for the
rejoicing, he looked thoughtful, then sober, then troubled.
"What's the matter, Chi? Cheer up! You have n't got to pick
them," said March.
"'T ain't that; but I hate to throw cold water on any such
countin'-your-chickens-'fore-they 're-hatched business," said Chi.
"'T is n't chickens; it's preserves, Chi," laughed Rose.
"I know that, too," said Chi, gravely. "But suppose you do a little
figuring on the hind-side of the blackboard."
 "What do you mean, Chi?" asked Hazel.
"Well, I 'll figure, 'n' see what you think about it. Seventeen
dozen times four, how much, March?"
"Eight hundred and sixteen."
"Hm! eight hundred and sixteen glass jars at twelve and a half
cents apiece--let me see: eight into eight once; eight into one no
times 'n' one over. There now, your jars 'll cost you just one hundred
and two dollars."
There was a universal groan.
"'N' that ain't all. Sugar 's up to six cents a pound, 'n' to keep
preserves as they ought to be kept takes about a pound to a quart.
Hm, eight hundred 'n' sixteen pounds of sugar at six cents a pound--
move up my point 'n' multiply by six--forty-eight dollars 'n' ninety-six
cents; added to the other--"
"Oh, don't, Chi!" groaned one and all.
"It spoils everything," said Rose, actually ready to cry with
disappointment.
"Well, Molly Stark, you 've got to look forwards and backwards
before you promise to do things," said Chi, serenely; and Rose,
hearing the Molly Stark, knew just what Chi meant.
She went straight up to him, and, laying both hands on his
shoulders, looked up smiling into his face. "I 'll be brave, Chi; we 'll
make it work somehow," she said gently; and Chi was not ashamed
to take one of the little hands and rub it softly against his unshaven
cheek.
"That's my Rose-pose," he said. "Now, don't let's cross the
bridges till we get to them; let's wait till we hear from New York."
They had not long to wait. The next day's mail brought three
letters,--from Mrs. Heath, Mr. Clyde, and Jack. Hazel could not read
them fast enough to suit her audience. There was an order from
Mrs. Heath for two dozen of each kind, and the assurance that she
would ask her friends, but she would like her order filled first.
Mr. Clyde wrote that he was coming up very soon and would
advance Hazel's quarterly allowance; at which Hazel cried, "Oh-ee!"
and hugged first herself, then Mrs. Blossom, but said not a word.
She wanted to surprise them with the glass jars and the sugar. Her
father had enclosed five dollars with which to pay Chi, and he and
Hazel were closeted for full a quarter of an hour in the pantry,
discussing ways and means.
Jack wrote enthusiastically of the preserves and chickens, and,
like Hazel, added a postscript as follows:
"Don't forget you said you would write down for me the song
about Love that Miss Blossom sings when she is kneading bread.
Miss Seaton is just now visiting in Boston. I 'm to play in a polo
match out at the Longmeadow grounds next week, and she stays for
that." This, likewise, Hazel kept to herself.
Meanwhile, the strawberry blossoms were starring the pastures,
but only here and there a tiny green button showed itself. It was a
discouraging outlook for the other Blossoms to wait five long weeks
before they could begin to earn money; and the thought of the
chickens, especially the prize chicken, proved a source of comfort as
well as speculation.
As the twenty-first day after setting the hens drew near, the
excitement of the race was felt to be increasing. Hazel had tied a
narrow strip of blue flannel about the right leg of each of her twelve
hens, that there might be no mistake; and the others had followed
her example, March choosing yellow; Cherry, white; Rose, red; and
Budd, green.
The barn was near the house, only a grass-plat with one big elm
in the centre separated it from the end of the woodshed. As Chi
said, the hens were sitting all around everywhere; on the nearly
empty hay-mow there were some twenty-five, and the rest were in
vacant stalls and feed-boxes.
It was a warm night in early June. Hazel was thinking over
many things as she lay wakeful in her wee bedroom. To-morrow was
the day; somebody would get the prize chicken. Hazel hoped she
might be the winner. Then she recalled something Chi had said
about hens being curious creatures, set in their ways, and never
doing anything just as they were expected to do it, and that there
was n't any time-table by which chickens could be hatched to the
minute. What if one were to come out to-night! The more she
thought, the more she longed to assure herself of the condition of
things in the barn. She tossed and turned, but could not settle to
sleep. At last she rose softly; the great clock in the long-room had
just struck eleven. She looked out of her one window and into the
face of a moon that for a moment blinded her.
Then she quietly put on her white bath-robe, and, taking her
shoes in her hand, stepped noiselessly out into the kitchen.
There was not a sound in the house except the ticking of the
clock. Softly she crept to the woodshed door and slipped out.
Chi, who had the ears of an Indian, heard the soft "crush,
crush," of the bark and chips underneath his room. He rose
noiselessly, drew on his trousers, and slipped his suspenders over his
shoulders, took his rifle from the rack, and crept stealthily as an
Apache down the stairs. Chi thought he was on the track of an
enormous woodchuck that had baffled all his efforts to trap, shoot,
and decoy him, as well as his attempts to smoke and drown him out.
But nothing was moving in or about the shed. He stepped outside,
puzzled as to the noise he had heard.
"By George Washin'ton!" he exclaimed under his breath, "what's
up now?" for he had caught sight of a little figure in white fairly
scooting over the grass-plat under the elm towards the barn. In a
moment she disappeared in the opening, for on warm nights the
great doors were not shut.
"Guess I 'd better get out of the way; 't would scare her to
death to see a man 'n' a gun at this time of night. It's that prize
chicken, I 'll bet." And Chi chuckled to himself. Then he tiptoed as
far as the barn door, looked in cautiously, and, seeing no one, but
hearing a creak overhead, he slipped into a stall and crouched
behind a pile of grass he had cut that afternoon for the cattle.
He heard the feet go "pat, pat, pat," overhead. He knew by the
sound that Hazel was examining the nests. Then another noise--
Cherry's familiar giggle--fell upon his ear. He looked out cautiously
from behind the grass. Sure enough; there were the twins, robed in
sheets and barefooted. Snickering and giggling, they made for the
ladder leading to the loft.
"The Old Harry 's to pay to-night," said Chi, grimly, to himself.
"When those two get together on a spree, things generally hum! I 'd
better stay where I 'm needed most."
Hazel, too, had caught the sound of the giggle and snicker, and
recognized it at once.
 "Goodness!" she thought, "if they should see me, 't would
frighten Cherry into fits, she 's so nervous. I 'd better hide while they
're here. They 've come to see about that chicken, just as I have!"
Hazel had all she could do to keep from laughing out loud. She lay
down upon a large pile of hay and drew it all over her. "They can't
see me now, and I can watch them," she thought, with a good deal
of satisfaction.
Surely the proceedings were worth watching. The moonlight
flooded the flooring of the loft, and every detail could be plainly
seen.
"Nobody can hear us here if we do talk," said Budd. "You 'll
have to hoist them up first, to see if there are any chickens, and be
sure and look at the rag on the legs; when you come to a green
one, it's mine, you know."
"Oh, Budd! I can't hoist them," said Cherry, in a distressed
voice.
"They do act kinder queer," replied Budd, who was trying to lift
a sleeping hen off her nest, to which she seemed glued. "I 'll tell you
what's better than that; just put your ear down and listen, and if you
hear a 'peep-peep,' it's a chicken."
Cherry, the obedient slave of Budd, crawled about over the
flooring on her hands and knees, listening first at one nest, then at
another, for the expected "peep-peep."
"I don't hear anything," said Cherry, in an aggrieved tone, "but
the old hens guggling when I poke under them. Oh! but here 's a
green rag sticking out, Budd."
"And a speckled hen?" said Budd, eagerly.
"Yes."
 "Well, that's the one I 've been looking for; it's dark over here in
this corner. Lemme see."
Budd put both hands under the hen and lifted her gently. "Ak--
ok--ork--ach," gasped the hen, as Budd took her firmly around the
throat; but she was too sleepy to care much what became of her,
and so hung limp and silent.
"I 'll hold the hen, Cherry, and you take up those eggs one at a
time and hold them to my ear."
"What for?" said Cherry.
"Now don't be a loony, but do as I tell you," said Budd,
impatiently. Cherry did as she was bidden; Budd listened intently.
"By cracky! there 's one!" he exclaimed. "Here, help me set this
hen back again, and keep that one out."
"What for?" queried Cherry, forgetting her former lesson.
"Oh, you ninny!--here, listen, will you?" Budd put the egg to her
ear.
"Why, that's a chicken peeping inside. I can hear him," said
Cherry, in an awed voice.
"Yes, and I 'm going to let him out," said Budd, triumphantly.
"But then you'll have the prize chicken, Budd," said Cherry,
rather dubiously, for she had wanted it herself.
"Of course, you goosey, what do you suppose I came out here
for?" demanded Budd.
"But, Budd, will it be fair?" said Cherry, timidly.
"Fair!" muttered Budd; "it's fair enough if it's out first. It's their
own fault if they don't know enough to get ahead of us."
"Did you think it all out yourself, Budd?" queried Cherry,
admiringly, watching Budd's proceeding with wide-open eyes.
 "Yup," said Budd, shortly.
They were not far from Hazel's hiding-place, and, by raising her
head a few inches, she could see the whole process.
First Budd listened intently at one end of the egg, then at the
other. He drew out a large pin from his pajamas and began very
carefully to pick the shell.
"Oh, gracious, Budd! what are you doing?" cried Cherry.
"What you see," said Budd, a little crossly, for his conscience
was not wholly at ease.
He picked and picked, and finally made an opening. He
examined it carefully.
"Oh, thunder!" he exclaimed under his breath, "I 've picked the
wrong end."
"What do you mean?" persisted Cherry.
"I wanted to open the 'peep-peep' end first, so he could
breathe," replied Budd, intent upon his work. Cherry watched
breathlessly. At last the other end was opened, and Budd began to
detach the shell from something which might have been a worm, a
fish, a pollywog, or a baby white mouse, for all it looked like a
chicken. It lay in Budd's hand.
"Oh, Budd, you 've killed it!" cried Cherry, beginning to sniff.
"Shut up, Cherry Blossom, or I'll leave you," threatened Budd.
Just then the moon was obscured by a passing cloud, and the loft
became suddenly dark and shadowy. Cherry screamed under her
breath.
"Oh, Budd, don't leave me; I can't see you!"
There was a soft rapid stride over the flooring; and before Budd
well knew what had happened, he was seized by the binding of his
pajamas, lifted, and shaken with such vigor that his teeth struck
together and he felt the jar in the top of his head.
As the form loomed so unexpectedly before her, Cherry
screamed with fright.
"I 'll teach you to play a business trick like this on us, you mean
sneaking little rascal!" roared March. "Do you think I did n't see you
creeping out of the room along the side of my bed on all fours? You
did n't dare to walk out like a man, and I might have known you
were up to no good!" Another shake followed that for a moment
dazed Budd. Then, as he felt the flooring beneath his feet, he turned
in a towering passion of guilt and rage on March.
"You 're a darned sneak yourself," he howled rather than cried.
"Take that for your trouble!" Raising his doubled fist, he aimed a
quick, hard blow at March's stomach. But, somehow, before it
struck, one strong hand--not March's--held his as in a vice, and
another, stronger, hoisted him by the waist-band of his pajamas and
held him, squirming and howling, suspended for a moment; then he
felt himself tossed somewhere. He fell upon the hay under which
Hazel had taken refuge, and landed upon her with almost force
enough to knock the breath from her body. Cherry, meanwhile, had
not ceased screaming under her breath, and, as Budd descended so
unexpectedly upon Hazel, a great groan and a sharp wail came forth
from the hay, to the mortal terror of all but Chi, who grew white at
the thought of what might have happened to his Lady-bird, and,
unintentionally, through him.
That awful groan proved too much for the children. Gathering
themselves together in less time than it takes to tell it, they fled as
well as they could in the dark,--down the ladder, out through the
barn, over the grass-plat, into the house, and dove into bed,
trembling in every limb.
"What on earth is the matter, children?" said Mrs. Blossom,
appearing at the foot of the stairs. "Did one of you fall out of bed?"
Budd's head was under the bedclothes, his teeth chattering
through fear; likewise Cherry. March assumed as firm a tone as he
could.
"Budd had a sort of nightmare, mother, but he 's all right now."
March felt sick at the deception.
"Well, settle down now and go to sleep; it's just twelve." And
Mrs. Blossom went back into the bedroom where Mr. Blossom was
still soundly sleeping.
Meanwhile, Chi was testing Hazel to see that no harm had been
done.
"Oh, I 'm all right," said Hazel, rather breathlessly. "But it really
knocked the breath out of my body." She laughed. "I never thought
of your catching up Budd that way and plumping him down on top
of me!"
"Guess my wits had gone wool-gatherin', when I never thought
of your hidin' there," said Chi, recovering from his fright. "But that
boy made me so pesky mad, tryin' to play such a game on all of us,
that I kind of lost my temper 'n' did n't see straight. Well--" he
heaved a sigh of relief, "he 's got his come-uppance!"
"Where do you suppose that poor little chicken is?"
"We 'll look him up; the moon 's comin' out again."
There, close by the nest, lay the queer something on the floor.
"I 'll tuck it in right under the old hen's breast, 'n' then, if there 's
any life in it, it 'll come to by mornin'." He examined it closely. "I 'll
come out 'n' see. Come, we 'd better be gettin' in 'fore 't is dark
again--"
He put the poor mite of a would-be chicken carefully under the
old hen, where it was warm and downy, and as he did so, he caught
sight of the rag hanging over the edge of the nest. He looked at it
closely; then slapping his thigh, he burst into a roar of laughter.
"What is it, Chi?" said Hazel, laughing, too, at Chi's mirth.
"Look here, Lady-bird! you 've got the Prize Chicken, after all.
That boy could n't tell green from blue in the moonlight, 'n' he 's
hatched out one of yours. By George Washin'ton! that's a good one,-
-serves him right," he said, wiping the tears of mirth from his eyes.
The chicken lived, but never seemed to belong to any one in
particular; and as Chi said solemnly the next morning, "The less said
on this Mountain about prize chickens, the better it 'll be for us all."

X
AN UNEXPECTED MEETING

It was a busy summer in and about the farmhouse on Mount

Hunger. What with tending the chickens--there were four hundred
and two in all--and strawberry-picking and preserving, and in due
season a repetition of the process with raspberries and blackberries,
the days seemed hardly long enough to accomplish all the young
people had planned.
Mr. Clyde came up for two days in June, and upon his return
told Doctor Heath that he, too, felt as if he needed that kind of a
cure.
Hazel was the picture of health and fast becoming what Chi had
predicted, "an A Number 1" beauty. Her dark eyes sparkled with the
joy of life; on her rounded cheeks there was the red of the rose; the
skull-cap had been discarded, and a fine crop of soft, silky rings of
dark brown hair had taken its place.
"Never, no, never, have I had such good times," she wrote to
her Cousin Jack at Newport. "We eat on the porch, and make believe
camp out in the woods, and we ride on Bess and Bob all over the
Mountain. We've about finished the preserves and jams, and Rose
has only burnt herself twice. The chickens, Chi says, are going to be
prime ones; it 's awfully funny to see them come flying and hopping
and running towards us the minute they see us--March says it's the
'Charge of the Light Brigade.'
"I wish you could be up here and have some of the fun,--but I
'm afraid you 're too old. I enclose the song Rose sings which you
asked me for. I don't understand it, but it's perfectly beautiful when
she sings it."
Hazel had asked Rose for the words of the song, telling her that
her Cousin Jack at Harvard would like to have them. Rose looked
surprised for a moment.
"What can he want of them?" she asked in a rather dignified
manner; and Hazel, thinking she was giving the explanation the
most reasonable as well as agreeable, replied:--
"I don't know for sure, but I think--you won't tell, will you,
Rose?"
"Of course I won't. I don't even know your cousin, to begin
with."
 "I think he is going to be engaged, or is, to Miss Seaton of New
York. All his friends think she is awfully pretty, and papa says she is
fascinating. I think Jack wanted them to give to her."
"Oh," said Rose, in a cool voice with a circumflex inflection, then
added in a decidedly toploftical tone, "I've no objection to his
making use of them. I 'll copy them for you."
"Thank you, Rose," said Hazel, rather puzzled and a little hurt at
Rose's new manner.
This conversation took place the first week in August, and the
verses were duly forwarded to Jack, who read them over twice, and
then, thrusting them into his breast-pocket, went over to the Casino,
whistling softly to himself on the way. There, meeting his chum and
some other friends, he proposed a riding-trip through the Green
Mountain region for the latter part of August.
"The Colonel and his wife will go with us, I 'm sure, and any of
the girls who can ride well will jump at the chance," said his chum.
"It's a novelty after so much coaching."
"I 'll go over and see Miss Seaton about it," said Jack, and
walked off singing to himself,--

"'--the stars above

Shine ever on Love'--"

His friend turned to the others. "That's a go; I 've never seen Sherrill
so hard hit before." Then he fell to discussing the new plan with the
rest.
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

textbookfull.com