A Strategic Approach to Implementing and Maintaining Your Cyber Security Program
Shawn Scott, CISSP
President, Badger Infosec, LLC
During the first Gulf War, the doctrine of Effects-Based Operations rose to prominence among military strategists – and has remained a key component of doctrine to this day. The concept is relatively simple; all tactical operations should be deliberately planned to support the broader desired effects that we wish to impose on the battlespace. In turn, these effects should support movement towards a desired end-state, or more simply, “what we want things to look like once the shooting stops.” The creator of the effects-based strategy, Lt General David A. Deptula, explained the benefits of this approach in a speech marking the tenth anniversary of the Gulf War air campaign: "If we focus on effects, the end of strategy, rather than force-on-force, the traditional means to achieve it militarily, that enables us to consider different and perhaps more effective ways to accomplish the same goal quicker than in the past, with fewer resources and most importantly with fewer casualties."
There are many analogies between the never-ending battle against cyber adversaries and the battles fought by our nations’ militaries. Just as in military operations, our cyber security efforts should seek to accomplish our goals more quickly, using fewer resources and with fewer incidents. When taking an effects-based approach to cyber security, we must begin by defining the desired end-state. What are the characteristics of a more mature cyber security posture? I offer that the goals of any cyber security program must include the following:
I’ll conclude with one last analogy to military doctrine. After September 11, 2001, the U.S. and its allies embarked on a major expedition which sought to rapidly eradicate terrorist forces from large swaths of the Middle East and Southwestern Asia. But by 2008, the prospects of quick victory with a return to a pre-9/11 world had vanished. Military and national security thinkers began to view the roots of terrorism in more broad socioeconomic and political terms, with endemic poverty and instability creating fertile soil for anti-western ideologies. The logical conclusion of this line of thinking is that radicalism will be with us for the indefinite future. Thus, our efforts to combat it must be strategic and sustained – because the adversary isn’t going away.
The roots of cyber threats lie in the innate human trait of greed, and so we should expect these threats to be with us indefinitely. We must accept these threats as part of the enduring environment in which our organizations operate. Like any other enduring environmental factor, we must make threat management a continuous business process. By adopting an effects-based cyber security strategy, your organization can address these persistent challenges in an organized manner that will reduce your long-term risk.
Shawn Scott is a veteran of both cyber and combat military operations. He currently leads Badger Infosec, where he specializes in assisting organizations adopt strategic and sustainable approaches to cyber security.