Consortium of Leading Cyber Technology and Insurance Providers Announce the Launch of SafeHouseInitiative.org
January 17, 2023
No Comments
This is a companion blog to the “The SafeHouse” podcast dated June 19, 2025.
In today’s rapidly evolving cyber landscape, the need for a unified federal cyber enterprise has never been more urgent. Craig Bowman, Vice President at Trellix and the co-founder of the Redwood Project, offers a compelling perspective on how the United States can reshape its national cybersecurity approach by fostering stronger collaboration between the public and private sectors. Drawing on decades of experience spanning the Department of Defense, major corporations, and pioneering startups, Craig shares his insights on bridging critical gaps in cybersecurity and advancing a cohesive strategy that empowers all players, from Fortune 100 companies to small and medium-sized businesses.
Listen to the original podcast here: https://safehouseinitiative.org/the-federal-cyber-enterprise-a-new-way-forward/
Craig’s path to becoming a cybersecurity leader was unconventional. A business major with a passion for computers, he was recruited early on by a company working with the intelligence community. Over the years, he served in both offensive and defensive roles within the Department of Defense, worked with Adobe, Verizon, VMware, and ultimately Trellix — a powerhouse formed from the merger of McAfee, FireEye, and Mandiant.
Reflecting on his journey, Craig recalls a pivotal moment that sparked the creation of the Redwood Project. After delivering a keynote speech at a conference, a fellow attendee asked what he would change to improve cybersecurity in the United States. Craig identified a critical breakdown in trust and collaboration between the government and the private sector following the Edward Snowden leaks. He explained:
“One of the biggest gaps that I saw was that after the Edward Snowden leak of information, there was a general pullback from the industry to being able and willing to collaborate with the US government to help them in the national security needs. We had to find a way back to finding that public-private partnership where the federal government could leverage the power of commercial industry and that the commercial industry could feel safe about providing resources to the federal government on behalf of the United States.”
This conversation led to an invitation to gather with other leaders in the Redwood Forest, where the Redwood Project was born. Its mission: reinvent the way industry and government collaborate on cybersecurity.
The Redwood Project is structured around five key workstreams, each designed to address challenges identified by industry members and create actionable solutions for national cybersecurity:
Craig highlights the importance of this last point, emphasizing that while large corporations can engage directly with federal agencies, many smaller players need support to be part of the national cybersecurity ecosystem.
In the current political environment, cybersecurity policy is undergoing significant shifts. Craig notes that the Redwood Project functions as a facilitator of conversation rather than a policy dictator, maintaining a nonpartisan stance that welcomes members from all political backgrounds. He explains:
“It doesn’t matter who the administration is or who the president is. We don’t talk politics; we talk cyber.”
The ongoing focus on deregulation under the current administration has reshaped federal cybersecurity priorities. Craig outlines several key developments from the first few months of the year:
Craig observes that these changes collectively represent a rapid transformation in U.S. cybersecurity posture, with a clear pivot toward industry-led initiatives and state-level responsibility.
Information Sharing and Analysis Centers (ISACs) are industry-specific organizations that facilitate threat intelligence sharing among members. Craig underscores their vital role in the evolving cybersecurity landscape:
“They unify the industries they represent, creating collective threat-sharing communities.”
Currently, there are 16 critical infrastructure sectors and about 28 ISACs that also include non-critical industries like media, entertainment, and research. While some ISACs, such as those for financial and healthcare sectors, are highly effective, others vary in impact.
Given the administration’s focus on deregulation and decentralization, Craig proposes an Industry-Led National Cybersecurity Council (NCC) to unify ISACs across sectors. This council would serve as a central hub for cross-industry threat sharing, acting as a liaison to the federal government and aligning cybersecurity efforts nationwide.
He explains how this council could support a “predictive defense exchange,” leveraging real-time, machine-readable threat data potentially enhanced by AI technologies prioritized by the administration.
Recognizing the challenges faced by smaller organizations, the Redwood Project advocates for democratizing cybersecurity participation. Craig highlights existing grant programs that provide foundational cybersecurity funding to rural and small businesses, and stresses the need for continued support:
“Small and medium businesses often can’t afford to contribute to ISACs, so we envision membership models that waive fees for smaller players and leverage state cybersecurity grant programs.”
Moreover, the NCC could help direct federal funding more efficiently by aligning resources with the needs identified by industry experts and state governments. Craig suggests offering tax incentives tied to meeting industry-developed cybersecurity benchmarks as a powerful motivator:
“If you meet these thresholds developed by your own industry partners, we will give you a tax incentive. There’s the carrot.”
This approach aligns with the current administration’s emphasis on deregulation and streamlined governance, offering a practical path to strengthen national cybersecurity without expanding federal bureaucracy.
With the federal government refocusing agencies like CISA to prioritize protecting federal networks and scaling back some cooperative agreements, the Redwood Project’s NCC could fill critical gaps by enabling industry-led coordination and state-level engagement.
Craig stresses that rebuilding trust between government and industry is essential, especially post-Snowden, when collaboration weakened. He highlights the importance of balancing information sharing with legal protections and tangible benefits for private sector participants.
On a broader note, Craig shares a personal call to action for cybersecurity at every level:
“If you have kids from the very earliest age, you need to make sure that you are in control of every bit of their data and every bit of their devices that you give them. There is no privacy with your kids. Period. End of story.”
For businesses, he advises consolidating security platforms and leveraging managed services for continuous monitoring, especially for small and medium-sized enterprises lacking internal resources. For complex environments, adopting strong frameworks like MITRE and Zero Trust is key.
Craig Bowman’s vision through the Redwood Project offers a refreshing and practical blueprint for advancing U.S. cybersecurity in an era of rapid change and deregulation. By fostering a nonpartisan, industry-led coalition that bridges public and private sectors, the nation can build a resilient, adaptive cyber defense posture that protects critical infrastructure and empowers all businesses.
As Craig puts it:
“This is our country. This is our cyber footprint. You don’t have to agree with the strategy, but you have to figure out a way to make it work as efficiently as possible for this country.”
In embracing collaboration, legal protections, and incentives, the future of federal cybersecurity can be one where government and industry move forward together—stronger, smarter, and more secure.
For more information about the SafeHouse Initiative and how you can protect your organization, visit safehouseinitiative.org.
