Adam Maruyama - From NSA Ops to Cyber Strategy

Critical Stats

LinkedIn: Check out his profile!

Started their cybersecurity journey in: 2007

Most passionate about (in cybersecurity): Communicating risk and avoiding FUD… Fear, Uncertainty, and Doubt.

Favorite zero-day: Libwebp (CVE-2023-5129 et al)

Favorite song: “The Ghost of Tom Joad” by Bruce Springsteen

Introduction

Adam Maruyama is a cybersecurity and national security professional with over two decades of experience spanning intelligence operations, counterterrorism strategy, and private-sector technology leadership. His career bridges the worlds of classified government operations and commercial innovation, giving him a rare ability to translate complex technological and risk concepts into narratives that resonate with technical teams, business leaders, and government stakeholders alike.

Adam advises organizations on leveraging trusted, high-assurance technologies to securely adopt the latest innovations, including AI, into their environments. His expertise encompasses hardware-enforced security, adversarial AI defense, and the strategic positioning of cybersecurity products for both government and commercial markets.

Adam is a Cyber Vanguard!

Adam's career is defined by operating at the highest levels of national security. Beginning as an Intelligence Analyst at the National Security Agency (NSA) through the prestigious Stokes Scholarship program, he rose to lead a team in the NSA's Counterterrorism Watch Center and deployed on numerous warzone tours, supporting cyber and counterterrorism operations worldwide.

His strategic impact extended to the National Counterterrorism Center, where he co-led the drafting of the 2018 National Strategy for Counterterrorism, shaping the nation's approach to threats, both foreign and domestic. Transitioning to the private sector, Adam brought that same rigor to McKinsey & Company and Palo Alto Networks, where I had the privilege of working alongside him and witnessing his sharp intellect and relentless work ethic firsthand.

Today, Adam is a prolific thought leader, publishing in outlets such as Dark Reading, The Hill, and Cipher Brief and presenting on stages such as RSAC. He also volunteers as an advisor for The Hacking Games, helping develop the next generation of cybersecurity talent. Simply put, Adam sees the entire battlefield and knows how to communicate what matters most.

Without further ado, we asked Adam our standard set of 5 questions to rule them all, and here are his responses:

Five questions to rule them all!

1. What is the biggest problem we are dealing with in cybersecurity?

Cybersecurity isn’t a government problem or a business problem; it’s a whole-of-society problem that requires all of us to collaborate. In an interconnected world, organizations aren’t just transactional business partners; they’re also the custodians of our data and identities, and the providers of the energy and infrastructure we use to remain connected. APTs and criminals are attacking ordinary people and businesses every day, and it’s not something the government or a single organization can stop on its own. We need to share information and best practices so we can stop cyber threats together, as a society.

2. How can we best coordinate across industry to address this whole-of-society issue?

It can be hard for vendors to give up what seems like an advantage by sharing threat intelligence, and even harder for a business to admit weakness by disclosing the indicators associated with a breach, but it’s critical to increasing the security of our ecosystem as a whole. Fortunately, the cybersecurity community has come a long way in this dimension, from centralized databases like MITRE’s CVE database to vendor-agnostic threat intelligence being shared by major cybersecurity vendors and even my alma mater, the normally secretive NSA (formerly nicknamed “No Such Agency”), opening a public-facing Cybersecurity Collaboration Center. As AI accelerates the velocity of attacks, it’s only by doubling down on the strategy of collaboration that we’ll keep organizations safe.

3. What are three actions a CEO can take to protect their company from cyberattacks?

1. Know what matters to your organization. Know what data your organization holds and how sensitive or valuable each dataset is. Know what systems are in the critical path for business operations and make sure they – and the paths into them – are protected and resilient against the threats your industry is most likely to face. Cybersecurity can be a daunting challenge, but prioritizing your systems and holdings can make it much easier for you to focus your efforts accordingly.

2. Incentivize collaborative cybersecurity conversations. The insights that you can glean from asking why someone committed a cybersecurity violation can be as valuable or more valuable than the rule itself. For example, these days, we’re seeing a lot of use of unsanctioned AI tools. Instead of just blocking unauthorized services or sending a “nastygram” to the employees using them, consider a conversation about the tool they’re using, what value they’re getting from it, and explaining why it’s not on the sanctioned tools list. These conversations can not only incentivize compliance on the part of the employee, but also unlock new AI use cases – if there’s a new capability, finding a sanctioned alternative could secure the business and accelerate results!

3. Finally, don’t talk yourself out of cybersecurity. This attempt can come in many forms: “I’m not technical enough to implement cybersecurity.” “They’d never target a business as small as mine!” “If someone wants to own me badly enough, I’m already cooked, so why bother?” At the end of the day, none of these lines of thought will matter if you get hacked. Insurance won’t always cover the full impact of business losses due to fire or theft, but organizations still buy policies; don’t make cybersecurity any different.

4. What are some of the best resources for learning more about cybersecurity?

1. Dark Reading. This cybersecurity-focused news site blends technical analysis of new vulnerabilities with insightful articles on the broader cybersecurity ecosystem and its impact on business and politics. In full transparency (or shameless self-promotion), I am an occasional op-ed contributor for Dark Reading.

2. The CVE database and CISA’s Known Exploited Vulnerabilities (KEV) database. Ok, I’m cheating a bit here because it’s a twofer, but the idea is the same: both of these databases are sources of ground truth for sharing the cyber vulnerabilities I mentioned earlier. Need to know whether a vulnerability exists because you’re considering acquiring software? Use the CVE database. Need to know whether it’s being actively exploited because you’re in the middle of triaging cyber hygiene practices across several vulnerabilities? Use the KEV database.

3. This one’s a bit of a hot take, but I love my Google recommended article feed on mobile. This assumes you’re already looking at a lot of cybersecurity content and often requires cross-referencing trusted sources, but it provides a surprisingly good pulse on what’s happening in the industry and threat environment when I don’t have the time to do a deep-dive into Dark Reading or another page (and it provides me with other articles of interest).

5. What is one piece of advice for those wanting to pursue a cybersecurity career?

Know yourself and don’t try to be someone you’re not comfortable becoming. Everyone likes to think of cybersecurity as a bits-and-bytes discipline, and that’s an important part of it, but that’s not by any means all that cybersecurity is about. For example, I’m a non-coder who directed cyber operations at TAO – NSA’s hacking organization – not by discovering exquisite Zero-Days, but by understanding the meta level of how different systems are connected and understanding what it would take to move laterally between them. One of my best friends in cybersecurity focuses on the business implications of cybersecurity and how they impact risk prioritization. Know your strengths, know your gaps, and fill the ones that motivate and excite you – curiosity and lifetime learning are really the only prerequisites for a career in cybersecurity; fitting into the mold of a stereotypical cybersecurity professional certainly is not!

Bond. James Bond… would be lucky to hold Adam’s jacket. You best share this article!