John Mills
Cyber Security Strategies


John Mills has worked in various capacities since 1983 for the national defense and security community. He has 27 years of service as a civilian and 31 years as a member of the uniformed military. John has worked cyber matters since 2004 at the Department of Defense (DOD). He has also had the opportunity to lead and participate in complex national security proceedings conducted by the Executive Office of the President and the National Security Staff. He was the DoD lead on the inter-agency team that developed and implemented the seminal Presidential Directive on Cybersecurity, NS/HSPD-54/23.

His 31 years of national security service including active, reserve, civilian, peacetime, and several hostile fire tours and he is currently a Colonel in the U.S. Army Reserve in addition to being a US Government Civilian. After 9/11, he was recalled to military service and spent two years conducting operations and planning with the Joint Staff at the Pentagon, at Central Command, and also in Iraq. During this period, among other things, he helped plan, organize, and implement multiple foreign national contingency military and security forces.

In addition to this experience, in the 1990’s, John worked as a senior contracting officer and program management analyst for implementation of complex air traffic control and science and technology innovations for another US Government Agency. In 1997, he spent most of the year in Bosnia helping to implement the Dayton Peace Accords among the former warring factions.

John has served in Europe, Asia, and the Middle East. John has a Graduate Degree in Strategic Studies from the Army War College in Carlisle Barracks, PA, a Master’s in Business Administration from Golden Gate University in San Francisco, and an undergraduate degree in Geography specializing in Trade and Transportation from the University of Washington. John is an Adjunct Professor teaching graduate level courses on cyber law and policy for the University of Maryland. Recent published articles of his include “Whatever happened to the Front Company? Resurrecting Lost National Security Tradecraft for an Asymetric World”, “The Key Terrain of Cyber” and “Counterinsurgency in Cyberspace.”


Cyber Security Leadership and Risk Management - How to Achieve Resiliency in the Face of Escalating Threats.


The state of an organisation’s IT security posture is too important to be fully delegated to the CIO and CISO. A serious cyber attack can have a material adverse effect on an organisation’s well being, financially and otherwise. This places cyber security into the category of a business risk that warrants CEO and Board attention. Getting the Board of Directors engaged and identifying key metrics to operationalise the needed risk and resource decisions will minimise successful attacks and achieve mission resiliency.

As organisations evolve their security posture, two key metrics for measuring their security capabilities are its Mean-Time-to-Detect (MTTD) threats that present an actual risk and its Mean-Time-to-Respond (MTTR) to fully analyse the threat and mitigate any risk presented. Each organisation needs to assess for itself the appropriate level of maturity based on its own risk tolerances and establish a robust cyber security scorecard to drive successful operations.