Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/12/2017
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The 'Team of Teams' Model for Cybersecurity

Security leaders can learn some valuable lessons from a real-life military model.

The pressure is on cybersecurity leaders to get crafty. The ever-growing connectivity sprawl across businesses means a vastly expanded attack surface. Cybersecurity concerns now go well beyond IT, touching supply chain, production environments, smart connected products, and retail. Customers, partners, and regulators are demanding more security assurance. Meanwhile, the sophistication and motivation of cybercriminals are rapidly accelerating.

Today's online world is unpredictable, highly variable, and chaotic. But good lessons exist regarding what we can do about it. Cybersecurity leaders today are where US military leadership was in the mid-2000s: learning the hard way that tried-and-true ways of organizing, deciding, and delivering capabilities don't work well anymore, and can even be counterproductive. So, for cybersecurity leaders — and related accountable entities, such as chief risk officers — what's the takeaway? It's not simply to buy more capability, add to headcount, or expect a decisive edge from the latest tool. Instead, it's to dramatically alter how you use what you already have.

Historical Precedent with Military Special Operations
When General Stanley McChrystal took over the Joint Special Operations Command (JSOC) in late 2003, he saw that the US military was continually vexed by a decentralized network of fast, scrappy, tech-savvy insurgents. The military machine was too slow and rigid. To break the "whack-a-mole" pattern — something cybersecurity leaders struggle with today — McChrystal implemented some radical new practices, including:

  • Pivoting away from efficiency: Instead, McChrystal looked for ways to increase agility and respond rapidly to the unpredictability of the operating environment.
  • Fusing siloed functions together: He broke down walls between teams and processes to establish a singular view of purpose, engender deep trust, and increase speed of action.
  • Forcing shared consciousness: He established a transparent, intelligence-driven, and priority-focused construct with strong lateral ties between individual teams.
  • Taking an ecosystem perspective: He focused on cultivating broad relationships because of the interdependence of the operating environment and the need for select members of each internal team (and external partner organizations) to understand the entire interconnected system.

Infusing Lessons Learned into Cybersecurity
Security leaders today are constantly playing catch-up against innovative, agile threats. And just like the pre-2003 military machine, the legacy discipline of cybersecurity has been about structure, sequencing, precision, and capability dominance. Repeatable tasks, such as vulnerability identification and patching, are executed by technical gurus, in silos, using structured, manual methods. Piling on a new security technology for every new cyberthreat is the norm. This has created waste and management complexity. On the human side, for years we've seen hands-on "commanding" from CISOs, with orders executed by subordinates. Checklists, playbooks, and narrowly scoped roles are standard.

This doesn't cut it anymore. Yes, technology improvements (such as orchestration and automation) will help. But we're at a tipping point for how cybersecurity organizations must look and operate to protect and enable the business. Efficiency must give way to adaptability. Command and control to autonomy. Direction to guidance. Collaboration to total integration. Technical security experts aren't enough; these assets must be blended with creative business thinkers who understand how security investments should relate to enterprise strategy and risk.

And because we need to establish broad buy-in and unlock the resources of others, security needs people who are social influencers. Just as the military established networked "pods" of anthropologists and linguists into its deployed units, cybersecurity organizations must pull on the full range of resources and insights available across the business.

Establishing a "Cyber Team of Teams" Operating Model
The McChrystal-led transformation of JSOC, described in the book Team of Teams, shows a better way of operating that can work for security organizations. To get there, follow these four principles:

  1. Establish a nimble yet authoritative hub. Cybersecurity teams must break free from a capability-first mindset. Great human talent and leadership guide success. A small set of visionary, business-minded security leaders need to see and have authority over the entire enterprise. But this isn't about precise command and control. This is about establishing a comprehensive view and a shared consciousness that anyone doing security can benefit from. A central strategy hub, focused on illuminating the risks that matter most to the business, is a key starting point.
  2. Engender a "localized" operating model. Rather than barking out prescriptive orders from the center, the hub sets strategic guidance, provides shareable resources, and lets people get to work. Most decisions get pushed down to the field. Specialized, small teams — whether dedicated to functions like intelligence, response, or organizational change management, or aligned to specific ecosystem domains (such as IT, OT, product design) — develop their specialized view of priorities, and they work with their business partners to get the job done. These team members shouldn’t all be from the core security organization. You need business natives. As a security leader, your job is to influence others and get them to commit resources to this important shared mission.
  3. Make constant communication an operational norm. These localized teams talk to each other, independent of the hub. That steady flow of fresh information and insights, especially across organizational seams, keeps security organizations aligned and ahead of the bad guys. The central hub is in the mix, but it's no bottleneck to success.
  4. Free up your human talent. Tools must serve people. Not the other way around. Security programs need to continually work to automate the right things. Enable the machines to do what they do best, while freeing up human talent to do what it does best: craft vision, understand nuanced risk profiles, communicate, and be creative.

We call this approach "Cyber Team of Teams." Operationalizing it is becoming a necessity for large organizations across industries, just like it was for General McChrystal and JSOC. The purpose is not only to lessen the pain of today, but to set the business up for a competitive and successful future.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Matthew Doan is a leader in Booz Allen Hamilton's commercial practice. He advises senior clients and leads project teams in driving innovative strategic and operational cybersecurity solutions, particularly for global automotive, oil and gas, industrial, and high-tech ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9079
PUBLISHED: 2020-08-11
FusionSphere OpenStack 8.0.0 have a protection mechanism failure vulnerability. The product incorrectly uses a protection mechanism. An attacker has to find a way to exploit the vulnerability to conduct directed attacks against the affected product.
CVE-2020-16275
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Credential Manager component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.
CVE-2020-16276
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Assets component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16277
PUBLISHED: 2020-08-10
An SQL injection vulnerability in the Analytics component of SAINT Security Suite 8.0 through 9.8.20 allows a remote, authenticated attacker to gain unauthorized access to the database.
CVE-2020-16278
PUBLISHED: 2020-08-10
A cross-site scripting (XSS) vulnerability in the Permissions component in SAINT Security Suite 8.0 through 9.8.20 could allow arbitrary script to run in the context of a logged-in user when the user clicks on a specially crafted link.