Application Security

9/12/2017
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The 'Team of Teams' Model for Cybersecurity

Security leaders can learn some valuable lessons from a real-life military model.

The pressure is on cybersecurity leaders to get crafty. The ever-growing connectivity sprawl across businesses means a vastly expanded attack surface. Cybersecurity concerns now go well beyond IT, touching supply chain, production environments, smart connected products, and retail. Customers, partners, and regulators are demanding more security assurance. Meanwhile, the sophistication and motivation of cybercriminals are rapidly accelerating.

Today's online world is unpredictable, highly variable, and chaotic. But good lessons exist regarding what we can do about it. Cybersecurity leaders today are where US military leadership was in the mid-2000s: learning the hard way that tried-and-true ways of organizing, deciding, and delivering capabilities don't work well anymore, and can even be counterproductive. So, for cybersecurity leaders — and related accountable entities, such as chief risk officers — what's the takeaway? It's not simply to buy more capability, add to headcount, or expect a decisive edge from the latest tool. Instead, it's to dramatically alter how you use what you already have.

Historical Precedent with Military Special Operations
When General Stanley McChrystal took over the Joint Special Operations Command (JSOC) in late 2003, he saw that the US military was continually vexed by a decentralized network of fast, scrappy, tech-savvy insurgents. The military machine was too slow and rigid. To break the "whack-a-mole" pattern — something cybersecurity leaders struggle with today — McChrystal implemented some radical new practices, including:

  • Pivoting away from efficiency: Instead, McChrystal looked for ways to increase agility and respond rapidly to the unpredictability of the operating environment.
  • Fusing siloed functions together: He broke down walls between teams and processes to establish a singular view of purpose, engender deep trust, and increase speed of action.
  • Forcing shared consciousness: He established a transparent, intelligence-driven, and priority-focused construct with strong lateral ties between individual teams.
  • Taking an ecosystem perspective: He focused on cultivating broad relationships because of the interdependence of the operating environment and the need for select members of each internal team (and external partner organizations) to understand the entire interconnected system.

Infusing Lessons Learned into Cybersecurity
Security leaders today are constantly playing catch-up against innovative, agile threats. And just like the pre-2003 military machine, the legacy discipline of cybersecurity has been about structure, sequencing, precision, and capability dominance. Repeatable tasks, such as vulnerability identification and patching, are executed by technical gurus, in silos, using structured, manual methods. Piling on a new security technology for every new cyberthreat is the norm. This has created waste and management complexity. On the human side, for years we've seen hands-on "commanding" from CISOs, with orders executed by subordinates. Checklists, playbooks, and narrowly scoped roles are standard.

This doesn't cut it anymore. Yes, technology improvements (such as orchestration and automation) will help. But we're at a tipping point for how cybersecurity organizations must look and operate to protect and enable the business. Efficiency must give way to adaptability. Command and control to autonomy. Direction to guidance. Collaboration to total integration. Technical security experts aren't enough; these assets must be blended with creative business thinkers who understand how security investments should relate to enterprise strategy and risk.

And because we need to establish broad buy-in and unlock the resources of others, security needs people who are social influencers. Just as the military established networked "pods" of anthropologists and linguists into its deployed units, cybersecurity organizations must pull on the full range of resources and insights available across the business.

Establishing a "Cyber Team of Teams" Operating Model
The McChrystal-led transformation of JSOC, described in the book Team of Teams, shows a better way of operating that can work for security organizations. To get there, follow these four principles:

  1. Establish a nimble yet authoritative hub. Cybersecurity teams must break free from a capability-first mindset. Great human talent and leadership guide success. A small set of visionary, business-minded security leaders need to see and have authority over the entire enterprise. But this isn't about precise command and control. This is about establishing a comprehensive view and a shared consciousness that anyone doing security can benefit from. A central strategy hub, focused on illuminating the risks that matter most to the business, is a key starting point.
  2. Engender a "localized" operating model. Rather than barking out prescriptive orders from the center, the hub sets strategic guidance, provides shareable resources, and lets people get to work. Most decisions get pushed down to the field. Specialized, small teams — whether dedicated to functions like intelligence, response, or organizational change management, or aligned to specific ecosystem domains (such as IT, OT, product design) — develop their specialized view of priorities, and they work with their business partners to get the job done. These team members shouldn’t all be from the core security organization. You need business natives. As a security leader, your job is to influence others and get them to commit resources to this important shared mission.
  3. Make constant communication an operational norm. These localized teams talk to each other, independent of the hub. That steady flow of fresh information and insights, especially across organizational seams, keeps security organizations aligned and ahead of the bad guys. The central hub is in the mix, but it's no bottleneck to success.
  4. Free up your human talent. Tools must serve people. Not the other way around. Security programs need to continually work to automate the right things. Enable the machines to do what they do best, while freeing up human talent to do what it does best: craft vision, understand nuanced risk profiles, communicate, and be creative.

We call this approach "Cyber Team of Teams." Operationalizing it is becoming a necessity for large organizations across industries, just like it was for General McChrystal and JSOC. The purpose is not only to lessen the pain of today, but to set the business up for a competitive and successful future.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Matthew Doan is a leader in Booz Allen Hamilton's Commercial Cyber practice. He advises senior clients and leads project teams in driving innovative strategic and operational cybersecurity solutions, particularly for global automotive, oil and gas, industrial, and high-tech ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.