Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/12/2017
02:00 PM
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

The 'Team of Teams' Model for Cybersecurity

Security leaders can learn some valuable lessons from a real-life military model.

The pressure is on cybersecurity leaders to get crafty. The ever-growing connectivity sprawl across businesses means a vastly expanded attack surface. Cybersecurity concerns now go well beyond IT, touching supply chain, production environments, smart connected products, and retail. Customers, partners, and regulators are demanding more security assurance. Meanwhile, the sophistication and motivation of cybercriminals are rapidly accelerating.

Today's online world is unpredictable, highly variable, and chaotic. But good lessons exist regarding what we can do about it. Cybersecurity leaders today are where US military leadership was in the mid-2000s: learning the hard way that tried-and-true ways of organizing, deciding, and delivering capabilities don't work well anymore, and can even be counterproductive. So, for cybersecurity leaders — and related accountable entities, such as chief risk officers — what's the takeaway? It's not simply to buy more capability, add to headcount, or expect a decisive edge from the latest tool. Instead, it's to dramatically alter how you use what you already have.

Historical Precedent with Military Special Operations
When General Stanley McChrystal took over the Joint Special Operations Command (JSOC) in late 2003, he saw that the US military was continually vexed by a decentralized network of fast, scrappy, tech-savvy insurgents. The military machine was too slow and rigid. To break the "whack-a-mole" pattern — something cybersecurity leaders struggle with today — McChrystal implemented some radical new practices, including:

  • Pivoting away from efficiency: Instead, McChrystal looked for ways to increase agility and respond rapidly to the unpredictability of the operating environment.
  • Fusing siloed functions together: He broke down walls between teams and processes to establish a singular view of purpose, engender deep trust, and increase speed of action.
  • Forcing shared consciousness: He established a transparent, intelligence-driven, and priority-focused construct with strong lateral ties between individual teams.
  • Taking an ecosystem perspective: He focused on cultivating broad relationships because of the interdependence of the operating environment and the need for select members of each internal team (and external partner organizations) to understand the entire interconnected system.

Infusing Lessons Learned into Cybersecurity
Security leaders today are constantly playing catch-up against innovative, agile threats. And just like the pre-2003 military machine, the legacy discipline of cybersecurity has been about structure, sequencing, precision, and capability dominance. Repeatable tasks, such as vulnerability identification and patching, are executed by technical gurus, in silos, using structured, manual methods. Piling on a new security technology for every new cyberthreat is the norm. This has created waste and management complexity. On the human side, for years we've seen hands-on "commanding" from CISOs, with orders executed by subordinates. Checklists, playbooks, and narrowly scoped roles are standard.

This doesn't cut it anymore. Yes, technology improvements (such as orchestration and automation) will help. But we're at a tipping point for how cybersecurity organizations must look and operate to protect and enable the business. Efficiency must give way to adaptability. Command and control to autonomy. Direction to guidance. Collaboration to total integration. Technical security experts aren't enough; these assets must be blended with creative business thinkers who understand how security investments should relate to enterprise strategy and risk.

And because we need to establish broad buy-in and unlock the resources of others, security needs people who are social influencers. Just as the military established networked "pods" of anthropologists and linguists into its deployed units, cybersecurity organizations must pull on the full range of resources and insights available across the business.

Establishing a "Cyber Team of Teams" Operating Model
The McChrystal-led transformation of JSOC, described in the book Team of Teams, shows a better way of operating that can work for security organizations. To get there, follow these four principles:

  1. Establish a nimble yet authoritative hub. Cybersecurity teams must break free from a capability-first mindset. Great human talent and leadership guide success. A small set of visionary, business-minded security leaders need to see and have authority over the entire enterprise. But this isn't about precise command and control. This is about establishing a comprehensive view and a shared consciousness that anyone doing security can benefit from. A central strategy hub, focused on illuminating the risks that matter most to the business, is a key starting point.
  2. Engender a "localized" operating model. Rather than barking out prescriptive orders from the center, the hub sets strategic guidance, provides shareable resources, and lets people get to work. Most decisions get pushed down to the field. Specialized, small teams — whether dedicated to functions like intelligence, response, or organizational change management, or aligned to specific ecosystem domains (such as IT, OT, product design) — develop their specialized view of priorities, and they work with their business partners to get the job done. These team members shouldn’t all be from the core security organization. You need business natives. As a security leader, your job is to influence others and get them to commit resources to this important shared mission.
  3. Make constant communication an operational norm. These localized teams talk to each other, independent of the hub. That steady flow of fresh information and insights, especially across organizational seams, keeps security organizations aligned and ahead of the bad guys. The central hub is in the mix, but it's no bottleneck to success.
  4. Free up your human talent. Tools must serve people. Not the other way around. Security programs need to continually work to automate the right things. Enable the machines to do what they do best, while freeing up human talent to do what it does best: craft vision, understand nuanced risk profiles, communicate, and be creative.

We call this approach "Cyber Team of Teams." Operationalizing it is becoming a necessity for large organizations across industries, just like it was for General McChrystal and JSOC. The purpose is not only to lessen the pain of today, but to set the business up for a competitive and successful future.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Matthew Doan is a leader in Booz Allen Hamilton's commercial practice. He advises senior clients and leads project teams in driving innovative strategic and operational cybersecurity solutions, particularly for global automotive, oil and gas, industrial, and high-tech ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.