Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

02:00 PM
Connect Directly
E-Mail vvv

The 'Team of Teams' Model for Cybersecurity

Security leaders can learn some valuable lessons from a real-life military model.

The pressure is on cybersecurity leaders to get crafty. The ever-growing connectivity sprawl across businesses means a vastly expanded attack surface. Cybersecurity concerns now go well beyond IT, touching supply chain, production environments, smart connected products, and retail. Customers, partners, and regulators are demanding more security assurance. Meanwhile, the sophistication and motivation of cybercriminals are rapidly accelerating.

Today's online world is unpredictable, highly variable, and chaotic. But good lessons exist regarding what we can do about it. Cybersecurity leaders today are where US military leadership was in the mid-2000s: learning the hard way that tried-and-true ways of organizing, deciding, and delivering capabilities don't work well anymore, and can even be counterproductive. So, for cybersecurity leaders — and related accountable entities, such as chief risk officers — what's the takeaway? It's not simply to buy more capability, add to headcount, or expect a decisive edge from the latest tool. Instead, it's to dramatically alter how you use what you already have.

Historical Precedent with Military Special Operations
When General Stanley McChrystal took over the Joint Special Operations Command (JSOC) in late 2003, he saw that the US military was continually vexed by a decentralized network of fast, scrappy, tech-savvy insurgents. The military machine was too slow and rigid. To break the "whack-a-mole" pattern — something cybersecurity leaders struggle with today — McChrystal implemented some radical new practices, including:

  • Pivoting away from efficiency: Instead, McChrystal looked for ways to increase agility and respond rapidly to the unpredictability of the operating environment.
  • Fusing siloed functions together: He broke down walls between teams and processes to establish a singular view of purpose, engender deep trust, and increase speed of action.
  • Forcing shared consciousness: He established a transparent, intelligence-driven, and priority-focused construct with strong lateral ties between individual teams.
  • Taking an ecosystem perspective: He focused on cultivating broad relationships because of the interdependence of the operating environment and the need for select members of each internal team (and external partner organizations) to understand the entire interconnected system.

Infusing Lessons Learned into Cybersecurity
Security leaders today are constantly playing catch-up against innovative, agile threats. And just like the pre-2003 military machine, the legacy discipline of cybersecurity has been about structure, sequencing, precision, and capability dominance. Repeatable tasks, such as vulnerability identification and patching, are executed by technical gurus, in silos, using structured, manual methods. Piling on a new security technology for every new cyberthreat is the norm. This has created waste and management complexity. On the human side, for years we've seen hands-on "commanding" from CISOs, with orders executed by subordinates. Checklists, playbooks, and narrowly scoped roles are standard.

This doesn't cut it anymore. Yes, technology improvements (such as orchestration and automation) will help. But we're at a tipping point for how cybersecurity organizations must look and operate to protect and enable the business. Efficiency must give way to adaptability. Command and control to autonomy. Direction to guidance. Collaboration to total integration. Technical security experts aren't enough; these assets must be blended with creative business thinkers who understand how security investments should relate to enterprise strategy and risk.

And because we need to establish broad buy-in and unlock the resources of others, security needs people who are social influencers. Just as the military established networked "pods" of anthropologists and linguists into its deployed units, cybersecurity organizations must pull on the full range of resources and insights available across the business.

Establishing a "Cyber Team of Teams" Operating Model
The McChrystal-led transformation of JSOC, described in the book Team of Teams, shows a better way of operating that can work for security organizations. To get there, follow these four principles:

  1. Establish a nimble yet authoritative hub. Cybersecurity teams must break free from a capability-first mindset. Great human talent and leadership guide success. A small set of visionary, business-minded security leaders need to see and have authority over the entire enterprise. But this isn't about precise command and control. This is about establishing a comprehensive view and a shared consciousness that anyone doing security can benefit from. A central strategy hub, focused on illuminating the risks that matter most to the business, is a key starting point.
  2. Engender a "localized" operating model. Rather than barking out prescriptive orders from the center, the hub sets strategic guidance, provides shareable resources, and lets people get to work. Most decisions get pushed down to the field. Specialized, small teams — whether dedicated to functions like intelligence, response, or organizational change management, or aligned to specific ecosystem domains (such as IT, OT, product design) — develop their specialized view of priorities, and they work with their business partners to get the job done. These team members shouldn’t all be from the core security organization. You need business natives. As a security leader, your job is to influence others and get them to commit resources to this important shared mission.
  3. Make constant communication an operational norm. These localized teams talk to each other, independent of the hub. That steady flow of fresh information and insights, especially across organizational seams, keeps security organizations aligned and ahead of the bad guys. The central hub is in the mix, but it's no bottleneck to success.
  4. Free up your human talent. Tools must serve people. Not the other way around. Security programs need to continually work to automate the right things. Enable the machines to do what they do best, while freeing up human talent to do what it does best: craft vision, understand nuanced risk profiles, communicate, and be creative.

We call this approach "Cyber Team of Teams." Operationalizing it is becoming a necessity for large organizations across industries, just like it was for General McChrystal and JSOC. The purpose is not only to lessen the pain of today, but to set the business up for a competitive and successful future.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Matthew Doan is a leader in Booz Allen Hamilton's commercial practice. He advises senior clients and leads project teams in driving innovative strategic and operational cybersecurity solutions, particularly for global automotive, oil and gas, industrial, and high-tech ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...