During the first Gulf War, the doctrine of Effects-Based Operations rose to prominence among military strategists – and has remained a key component of doctrine to this day. The concept is relatively simple; all tactical operations should be deliberately planned to support the broader desired effects that we wish to impose on the battlespace. In turn, these effects should support movement towards a desired end-state, or more simply, “what we want things to look like once the shooting stops.” The creator of the effects-based strategy, Lt General David A. Deptula, explained the benefits of this approach in a speech marking the tenth anniversary of the Gulf War air campaign: “If we focus on effects, the end of strategy, rather than force-on-force, the traditional means to achieve it militarily, that enables us to consider different and perhaps more effective ways to accomplish the same goal quicker than in the past, with fewer resources and most importantly with fewer casualties.”
There are many analogies between the never-ending battle against cyber adversaries and the battles fought by our nations’ militaries. Just as in military operations, our cyber security efforts should seek to accomplish our goals more quickly, using fewer resources and with fewer incidents. When taking an effects-based approach to cyber security, we must begin by defining the desired end-state. What are the characteristics of a more mature cyber security posture? I offer that the goals of any cyber security program must include the following:
Effect-Based Goals for Your Cyber Security Program
- Greater visibility. You must have visibility into the vulnerabilities that provide vectors for adversary attacks on the organization. You can’t mitigate vulnerabilities that you don’t know exist.
- Greater understanding of the risks those vulnerabilities pose to core business functions. Quantifying risk is an inherently subjective task. Dr. Eric Cole offers an equation for calculating cyber risk: Risk = Threats x Vulnerabilities. But this is still a qualitative method, as threats are scored by perceived likelihood, and vulnerabilities are scored by perceived impacts. However, we should not “let the perfect be the enemy of the good.” Something is better than nothing, and prioritization of risk is a pre-requisite to effective resource allocation.
- A robust strategic plan to mitigate cyber risk. Very few organizations have the resources (or the will) to dramatically improve the maturity of their cyber security program in the short term. Communications infrastructures are a complex patchwork with countless interdependencies that represent years of investment. You can’t just wipe the slate clean and start over from scratch to build a perfectly secure environment. And even if that were possible, the threat environment would change tomorrow. In our desired end-state, planning and budgeting for cyber security is a normalized and repeatable process on par with any other cost center. Analysis of cyber security impacts are part of the risk analysis process for any new service.
Tactical Actions to Support These Effect-Based Goals
With an understanding of what we want the end-state to look like, we can identify the “tactical” actions that we can perform to support these strategic objectives. Our tactical actions should build upon previous actions, and set the stage for what is to come – so I offer this loose order of implementation:
- Pick a framework. Security is hard enough without re-inventing the wheel. A framework will provide a structured method for assessments and help prioritize your remediation efforts. There are numerous good frameworks available, and the one that is right for your organization is a function of your regulatory requirements, your industry vertical and organizational characteristics. For the small to medium-sized businesses I primarily work with, the Center for Internet Security’s 20 Critical Controls (CIS 20) is often a good fit. If you do business with the U.S. government, NIST 800.53 may be a better (though more complex) option. Some frameworks are mandated by regulation or industry standards, such as PCI-DSS. However, most of these frameworks easily map to each other, and if you secure your organization with a comprehensive framework such as CIS 20, compliance with regulatory frameworks will be much easier.
- Empower someone to take charge of your program. While this person should be technically savvy, uber-geek status is not required. Managerial and planning skills are more important. Train them in cyber security management vice technical competencies. I recommend they at least attend some of the courses in the management track offered by the SANS Institute (https://www.sans.org/curricula/management). These courses are not cheap but are a worthwhile investment if you don’t already have a qualified manager on hand.
- Perform a comprehensive vulnerability assessment to establish a baseline. Do not be fooled by the “$1000 specials” being offered by managed service providers (MSPs) or security solution vendors. These are simply marketing ploys to set up the sale of their services. Your assessment should be as objective as possible, and for that reason, it shouldn’t be performed by an in-house team unless that team 1) was not responsible for creating or maintaining the environment they are assessing, and 2) is fully qualified based on both experience and credentials. Many of our clients are finding that prospective B2B partners are requesting to review past audits and assessments as a normal part of discovery prior to entering into contractual relationships. A professionally-performed third-party assessment may become an asset to your bottom line.
- Make cyber security a separate line-item in your budget, distinct from information technology. You don’t steal from funds dedicated for building maintenance to pay for your physical security (alarms, guards, etc). How much is the right level? Resist the temptation to Google for rules-of-thumb, especially while your program is still immature. The “right” amount will depend on your existing risk exposure and be weighed against competing interests in your organization. Having a solid risk assessment will help your Chief Risk Officer (or whomever performs that function) make informed input to the overall corporate budgeting effort. FOOT STOMPER: Understand the total life-cycle costs of proper implementation of any solutions you choose. Here’s another military analogy for you: Why are all the high-tech weapons that we have given to the Iraqi and Afghani militaries rusting away and falling apart? Because there was no proper plan in place to sustain them. Even the slickest security solutions need properly trained people to operate and tune them. A flashy new Security Incident Event Management (SIEM) solution will do you no good if you don’t also invest in the human needed to use it effectively.
- Seek value. Remember when I said earlier, “Don’t let the perfect be the enemy of the good?” Chances are, reconfiguration of security or IT solutions that are already in place (paid for!) can move the needle on your overall cyber security posture. You don’t need to wait for next year’s budget to implement mitigations. You don’t need to re-architect your environment for software-defined networking to make it harder for attackers to move laterally in your network; basic segmentation through VLANs can almost certainly be performed with your existing hardware. Working with a security consultant can help you identify where “low hanging fruit” exists in your environment. Taking advantage of these easy-pickings can be an attractive bridge to more long-term solutions.
- Score yourself (or have someone score you). Adopt a maturity model to enable easier communication of your current security state and future goals. Even a relatively “simple” framework like the CIS 20 is too granular for C-level (or Board) consumption. A maturity model can provide a much more effective and high-level yardstick that can help drive buy-in from resource decision makers. But remember – a maturity model is a tool to help drive continuous improvement, and not an end-in-itself. Don’t create an environment where the disincentives for honest assessment encourage pencil-whipping. There are many available models to choose from – some designed by government agencies and some by private organizations. Once again, work with a security professional to choose the model best suited to your environment.
I’ll conclude with one last analogy to military doctrine. After September 11, 2001, the U.S. and its allies embarked on a major expedition which sought to rapidly eradicate terrorist forces from large swaths of the Middle East and Southwestern Asia. But by 2008, the prospects of quick victory with a return to a pre-9/11 world had vanished. Military and national security thinkers began to view the roots of terrorism in more broad socioeconomic and political terms, with endemic poverty and instability creating fertile soil for anti-western ideologies. The logical conclusion of this line of thinking is that radicalism will be with us for the indefinite future. Thus, our efforts to combat it must be strategic and sustained – because the adversary isn’t going away.
The roots of cyber threats lie in the innate human trait of greed, and so we should expect these threats to be with us indefinitely. We must accept these threats as part of the enduring environment in which our organizations operate. Like any other enduring environmental factor, we must make threat management a continuous business process. By adopting an effects-based cyber security strategy, your organization can address these persistent challenges in an organized manner that will reduce your long-term risk.