When we think about crime, terrorism, and warfare in cyberspace, it can be tempting to draw parallels with their conventional equivalents. While these kinds of allegories can sometimes help us understand the more hard-to-grasp concepts of what’s happening inside computer networks, they can also be dangerously inaccurate. (Comparing any system compromise to the attack on Pearl Harbor is typically pretty dubious!)
That said, three fundamental concepts which have been used to discuss military campaigns for centuries do translate very well to cybersecurity – and provide us a useful model to understand some common failures in our security programs. Those concepts are strategy, tactics, and logistics. Planning at each one of these levels is crucial to successful organizational security.
Deficiency in one or more of these areas typically causes some consistent and very recognizable problems across an organization’s security programs. Learning the function of each of these areas and how recognize associated failures is a useful tool to help leaders effectively pinpoint and remediate problem areas.
Strategy & Security
In military operations, strategy refers to the overarching plans and goals for a campaign, which typically include many component tactical operations. In cybersecurity, strategy includes the project managers and leaders who measure and evaluate risk, build security budgets, and determine overall operational direction. Strategy both guides security programs and establishes how their success will be measured.
Good strategic planning requires involvement from the executive level, governance, compliance, risk management, and legal counsel staff, quality threat intelligence, and a keen understanding of the organizational mission. It demands constant, careful quantifying and weighting of risk and budget.
How to Know if Your Strategic Planning is Lacking
Without solid strategy, there’s typically confusion and disorganization between IT and security teams. Individual security efforts may stall or conflict. Security program or tool implementations may be suddenly cancelled in favor of something else, at a cost of resources and hundreds of hours of work. Individual contributors may not be aware of their importance to the organization’s mission.
An organization with poor strategy will also frequently have difficulty in measuring program success in an effective and consistent way – for instance, counting numbers of network scans detected at their perimeter as opposed to quantified year-over-year effectiveness at responding to threats. This can be markedly damaging to budget and employee morale.
Tactics & Security
In warfare, tactics are decisions and plans made at the field level. Tactics are the nitty-gritty details of accomplishing an objective. They include proper resource selection for individual tasks, operational playbooks, and quick triage decisions. A General may not care which specific rifle a soldier uses, as long as a mission’s objectives are completed adequately. He or she will leave that decision up to a Lieutenant or Sergeant who has insight to make a good tactical choice. This kind of delegation should persist in technical environments.
For many technical professionals, thinking about security operations immediately leads to tactical thoughts. When asked about security, they will likely consider tools and procedures used to respond to a specific type of alert, remediate a compromised system, or compromise a server during an assessment. For individual technical contributors, tactical thinking is critical to day-to-day security operations.
Good tactical thinking should be sourced from technical subject matter experts, industry best practices, and experienced security team leads. It also requires continual policy and resource support from leadership. Strategy must support and drive the development of tactical plans, without interfering with minutiae.
How to Know if Your Tactical Planning is Lacking
Without good tactical thinking, specific types of failures begin to occur. Leaders may tell security teams to “hunt” or “protect the network” without any clear scope or operational guidance given to the responsible analysts. Response or assessment activities may be haphazard and disorganized, and procedural steps will frequently be missed.
For example, a password might not be configured on a newly deployed device because no task to verify it was ever added to the appropriate playbook. Or, forensics work might be lost during a shift change because of poor handoff communication and lack of technical training. Small things start being missed, which can factor into significant problems down the line.
Logistics & Security
Logistics is critical to conventional warfare, and military historians often lament how often it’s overlooked. It encompasses resources like people and equipment getting to where they need to be, in the correct quantities and on time. Logistics aren’t necessarily cool – but without food, even the best-trained army will starve.
Tactical and strategic thinkers in cybersecurity are often equally guilty of overlooking the key element of logistics. In security, it includes IT and acquisition staff and processes which ensure teams have needed, licensed, and updated tools, and that equipment gets to the right places on time during incident response or engagements.
Good logistics are deeply dependent on organizational budgeting and strategy. However, they also require excellent advance planning by the teams involved in getting people and equipment from point A to point B. This may include teams such as HR, shipping and receiving, and IT acquisitions.
How to Know if Your Logistical Planning is Lacking
Nearly everybody in who works in cybersecurity has had to deal with an impactful logistical failure. These failures can come in the form of critical physical equipment not being purchased or shipped on time. Not receiving necessary equipment while responding to a security incident can halt investigation and remediation efforts. Logistical errors also frequently involve product licensing – from expired security tool subscriptions to a surprise end to software security updates!
Human beings can also fall victim to organizational logistical failures. Delays in HR procedures, background checks, essential training, and promotions can be tremendously disruptive to the employee and impacted teams.
Remember, both tactics and strategy are dependent on effective logistics!
What This Means to Your Organization’s Security
Modeling security programs’ failure points in terms of tactical, strategic, and logistical failures can be extremely useful in pinpointing their root causes. For instance, recognizing that conflicting or competing programs between two teams is typically a strategic failure can enable leaders to direct the appropriate resources to diplomatically fix the problem (rather than reprimanding the technical teams themselves).
When implementing new security project or program, it’s extremely important to consider each of these components, as well as which teams or individuals are responsible for their success. Strategy, logistics, and tactics are all equally important to cybersecurity and they are inextricably linked. If an organization cuts resources from one area without forethought, the security program will ultimately suffer. Paying attention and allocating adequate resources to each one is a great step on the way to building and maintaining a successful security program.