The pressure is on cybersecurity leaders to get crafty. The ever-growing connectivity sprawl across businesses means a vastly expanded attack surface. Cybersecurity concerns now go well beyond IT, touching supply chain, production environments, smart connected products, and retail. Customers, partners, and regulators are demanding more security assurance. Meanwhile, the sophistication and motivation of cybercriminals are rapidly accelerating.
Today's online world is unpredictable, highly variable, and chaotic. But good lessons exist regarding what we can do about it. Cybersecurity leaders today are where US military leadership was in the mid-2000s: learning the hard way that tried-and-true ways of organizing, deciding, and delivering capabilities don't work well anymore, and can even be counterproductive. So, for cybersecurity leaders — and related accountable entities, such as chief risk officers — what's the takeaway? It's not simply to buy more capability, add to headcount, or expect a decisive edge from the latest tool. Instead, it's to dramatically alter how you use what you already have.
Historical Precedent with Military Special Operations
When General Stanley McChrystal took over the Joint Special Operations Command (JSOC) in late 2003, he saw that the US military was continually vexed by a decentralized network of fast, scrappy, tech-savvy insurgents. The military machine was too slow and rigid. To break the "whack-a-mole" pattern — something cybersecurity leaders struggle with today — McChrystal implemented some radical new practices, including:
Infusing Lessons Learned into Cybersecurity
Security leaders today are constantly playing catch-up against innovative, agile threats. And just like the pre-2003 military machine, the legacy discipline of cybersecurity has been about structure, sequencing, precision, and capability dominance. Repeatable tasks, such as vulnerability identification and patching, are executed by technical gurus, in silos, using structured, manual methods. Piling on a new security technology for every new cyberthreat is the norm. This has created waste and management complexity. On the human side, for years we've seen hands-on "commanding" from CISOs, with orders executed by subordinates. Checklists, playbooks, and narrowly scoped roles are standard.
This doesn't cut it anymore. Yes, technology improvements (such as orchestration and automation) will help. But we're at a tipping point for how cybersecurity organizations must look and operate to protect and enable the business. Efficiency must give way to adaptability. Command and control to autonomy. Direction to guidance. Collaboration to total integration. Technical security experts aren't enough; these assets must be blended with creative business thinkers who understand how security investments should relate to enterprise strategy and risk.
And because we need to establish broad buy-in and unlock the resources of others, security needs people who are social influencers. Just as the military established networked "pods" of anthropologists and linguists into its deployed units, cybersecurity organizations must pull on the full range of resources and insights available across the business.
Establishing a "Cyber Team of Teams" Operating Model
The McChrystal-led transformation of JSOC, described in the book Team of Teams, shows a better way of operating that can work for security organizations. To get there, follow these four principles:
We call this approach "Cyber Team of Teams." Operationalizing it is becoming a necessity for large organizations across industries, just like it was for General McChrystal and JSOC. The purpose is not only to lessen the pain of today, but to set the business up for a competitive and successful future.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.Matthew Doan is a leader in Booz Allen Hamilton's commercial practice. He advises senior clients and leads project teams in driving innovative strategic and operational cybersecurity solutions, particularly for global automotive, oil and gas, industrial, and high-tech ... View Full Bio