Updated on September 11, 2018 from original December 2017 LinkedIN article
Managing cyber/info security programs can sometimes be like playing a game of Battleship. Sinking enemy ships without losing your own ships is a daily battle for the cyber program admirals and sailors. While most “games” in life have no guarantee of winning (without cheating), it is important to avoid sinking your own ship and facing public embarrassment.
If you don’t remember how the board game version created in the 1960’s worked, it was fairly basic. You and a partner secretly place your own ships on a grid labeled by letters and numbers. The object of the game was to “shoot” torpedos at your competitors ships by calling out a plot point (eg B-6.) If any portion of the ship was in that portion of the game board, they would indicate a “hit.” Similarly, if your torpedo was heading out into the vast unknown, they would indicate “miss.” For each hit, you would add a red peg and for each miss, you would add a white peg onto the top “radar” portion of your game, As your competitor made their moves, you would also put red pegs onto your ships and white pegs into the sea where they missed.
The strategy behind this game was simple. When you hit something, you knew you were on the right track and you just needed to figure out which way the boat was going and miss as few times as possible because you needed to be faster than your competitor in the race to be the last boat standing. The hardest part of the game was the beginning, because you had no indicators of where their boats would be and whether they were clustered or spread out.
Playing the Cyber Security program leader game is much more complicated, there are higher stakes, and is often much more stressful. However, there are some intrinsic similarities between each “game.”
- You don’t know exactly where your enemy is hiding at or shooting from.
- Finding the enemy is difficult and the beginning is always the toughest. You sometimes feel like you are starting with an empty board.
- You have to manage both an offensive and a defensive strategy (sink their boats while not letting them sink your boats)
- You have limited time and have to manage your “moves” to win.
- You only get one turn at a time. While everyone seems to think they are good at multi-tasking, the bad guy is moving at the same (or faster) pace as you, so you have to keep and there is no “time out.
- Your strategy is to manage “time and take.” The bad guy is firing on you and there is no way to completely protect your boats. So, your job is to slow the bad guy down, and minimize how much they take from you (whether it be boat explosions, data theft, or business compromise)
- Ships are different sizes and value from a strategic standpoint. You can’t protect all of your boats in the same manner.
- Unlike in Battleship, some IS leaders do not fully know where their own ships are, where they are placed, what protections they have against enemies, and which ships are most important. If they don’t know their company business intricacies well, it’s risks, or where their own ships (information assets) are even a placed, they start their game with a significant disadvantage.
- In Cyber Security, you get a chance to add additional controls to protect your ships. While there is still no failsafe protections, you have a chance to deflect torpedoes.
- Also in Cyber Security, you have a chance to try to detect enemy torpedoes before getting hit.
- In Battleship, you only get hit and sink, or sink the enemy. There is no need or ability to manage the impact once the first torpedo hits. In Cyber Security, how you handle the explosions are half the battle (and likely what you will be remembered for and whether you will keep your Admiral title)
There are many ways to keep this analogy going and help you play effective offense and defense. However, many Cyber Security blogs and articles cover these topics and it all comes down to time, attention, technology choices, workforce engagement, and financial management. The following top five recommendations are aimed to helpful you avoid torpedoing your own program and everything bad that follows that blunder.
#5. Implement more tools/technology than anyone else.
Technology is critical to improving the ability to protect information, detect malicious activities, and respond effectively when an incident does occur. However, a number of factors can render security technology useless. First, partially implementing, not tuning, or not adequately resourcing your security tools and technology can limit your ability to get risk reducing value. Second, piecing together numerous competing security tools to cover more surface area can create a disastrous architectural pile of tech spaghetti and create unexpected conflicts and costs in the short and long-term. Instead: Let your chief architect drive a holistic architectural tech stack. Like driving a brand new Ferrari, if you don’t use some light “architectural design braking” around the turns, you will go really fast (right before you slam into the wall of the first turn.)
#4. Don’t be clear with your organization, IT partners, and your own security team what you need from them with effective prioritization and focus.
Spreading yourself, your organization, and supporting partners too thin is likely the #1 cause of security program leader failure. The adrenaline rush of protecting the company/customers/employees shareholders in a time where executives and board members are writing blank checks can cause security program leaders to become over-ambitious in what they and their teams can accomplish. In the rush to protect and succeed, sometimes basic project/program management concepts such as the Law of Diminishing Returns get forgotten, and programs become very broad in goals, tools, and processes to implement concurrently. While this can be sustained in the short-term, leaders fail to recognize how to prioritize and manage initiatives across an organization because they suddenly have a new excess of money and security headcount. Instead: Prioritize everything. Seek to understand the end-to-end impact of pulling the trigger on your initiatives. Ensure that the right sponsorship and support is in place. Most importantly, help enable your program manager to institute the process and rigor to help keep the ship afloat and heading in the right direction.
#3. Trust and don’t verify.
Information Security expectations in the form of policies, standards, and procedures are often times outdated or disconnected. When you and your team get a handle on what you need people across the company to do and you roll it out in a new written policy, sometimes leaders assume that everyone will properly follow it and the audit department will manage those that don’t. Behavior change is a critical aspect of implementing any policy. Even with the best policy, education, and initial roll out, workforce members have multitudes of priorities with limited time. Good intentions could succumb to competing priorities winning out, people misunderstanding expectations, or breakdown over time of security controls driven out by time or turnover. With the amount of organizational change required, it is not enough to just publish a policy and forget it. Instead:Enable a customer focused team of experts that can both be trusting, but verify that key controls were implemented effectively. These individuals should be proficient at finding gaps, but also proficient teachers and motivators to help the workforce improve their processes and controls. Ultimately, this team can become such a hot commodity that there is a long waiting list for their time because of the effectiveness of the process and the assistance they provide..
#2. Minimize the accountability and ownership of workforce members to only avoiding phishing attacks vs securely handling/storing information that each of them work with every day.
If you read or watch the media coverage on cyber security related breaches, it is likely that a minimum of 9 out of 10 of these events resulted in someone clicking on a malicious email or not patching a piece of software or equipment. Any rational person would piece this together and conclude that 90% of information security workforce education should be focused on not avoiding malicious links, attachments or requests in emails. While this approach would be considered by most logically sound, the problem with the thinking is assuming that the media’s coverage of information security represents 100% of malicious activity at companies. It turns out that the majority of breach coverage is that which is publicly disclosed and most of what is publicly disclosed is what is required by law. Breaches of personal information are required to be reported in many countries including the United States. Conversely, theft of intellectual property or impairment of business operations for the most part is not regulated and there are not firm requirements to disclose these events. So only focusing on phishing attacks only helps you with one threat vector and ignores the malicious insider as well as good/secure information management and handling controls that every workforce member should be doing. Instead:Don’t get hooked by the 90% phishing focus theory. Phishing should be a key focal area part of a broader robust workforce awareness strategy. Put yourself in the shoes of various workforce members across the company and ask yourself, what would be the top 3 things that this person could know and do to better protect the company. Hint: the answer will be more than not clicking emails. Empower someone to own this workforce behavior strategy end-to-end and formulate the top behavioral interventions to focus on.
#1. Assume that since cyber attacks and bad guy motivations are constantly evolving in the news that solid information security risk management concepts and info asset prioritization no longer apply.
With the pace and public knowledge of prominent breaches from Target to Sony to Merck, cyber criminals have shown they have a wide assortment of intentions and methods of compromising their victims. A program leader could take examples like the Target HVAC supplier compromise that lead to the point of sale system attack and conclude that it is no longer effective to prioritize the riskiest suppliers and focus on those before moving on to others. Similarly, the Merck attack that rapidly compromised a large number of PCs and servers in a matter of seconds could urge you to conclude that prioritizing focus on the most critical IT systems is no longer an effective strategy. In both of these cases, letting new forms of attacks that were unconventional defeat your belief in risk management or utilizing a risk based approach, you will quickly slip into spreading too thin. There is something to learn from every security breach, but allowing it to limit your thinking of focusing first on what is most critical to your business will mix up a recipe for disaster. Instead: Broaden your focus of “what’s most important” from a traditional focus on what the bad guys want to steal most, to a comprehensive view of where the company can get hurt the worst. For more information on my “3am CEO call” approach, read the recent article that I published called “Breach! The 3am Call from the CEO and What Your C-Suite Leaders Do Next Will Reveal Where You Aren’t Focused Today” Ensure yourself or one of your leaders is responsible for understanding this and that your team rallies around the answers.
In summary, Battleship is a game of learning, focusing your efforts, and sometimes luck! Cyber security leadership requires the same components to be successful in the long-term. You can ensure you and your team’s focus is as effective as possible by understanding how you are placing your boats and using your pegs. Ultimately, the faster we can land our cyber security red pegs into the bad guy and evade getting pegged ourselves, that faster your company’s ships will sail.
Feel free to COMMENT, REPOST, or LIKE to keep these free articles coming. If your security program needs help translating strategy into action and being more business risk/threat focused, you can request more information at firstname.lastname@example.org. More information can be found on www.revealrisk.com