The habit of strategic planning for your cyber-security future
Author: Jonathan Reiber, Head of Cybersecurity Strategy
Oftentimes, it is said, we fight the last war. It happens when strategists fail to account for changes in the security environment, like the birth of the machine gun, the tank, or the improvised explosive device – technological innovations that altered how conflicts unfold.
Today in cybersecurity, organisations are still overly focused on securing the perimeter – on keeping intruders out of a network. While perimeter defence is a key part of the total security stack, it is not sufficient for effective cybersecurity.
We know from history that it’s not a question of if but when an intruder will break into a data centre. Once inside, absent internal security systems, intruders almost always have the keys to the kingdom and can rove around unencumbered until they get their hands on an organisation’s crown jewels. See, for example, China penetrating the U.S. Office of Personnel Management, or the attack on Singapore’s health service, SingHealth.
Organisations need to invest for the day when their perimeter defences fail. And most often, they haven’t. Why?
Why doesn’t every major governmental organisation adopt the “assume breach” mentality and invest in defence-in-depth strategies? The answer comes in part from a deficiency of habit. Strategic and scenario planning can help organisations get ahead of threats. Such planning requires expertise, sure – but above all it requires the regular habit of setting aside time to think about and plan for the future. A habit that every leader should follow.
At the Pentagon, they had strategic habits forced upon them from the outside as well as from within. The process continues today: Congress mandates the Quadrennial Defense Review (QDR), a four-year cycle of policy planning and budgeting to force the Defence Department to do long-term strategic planning. The QDR drives policy as well as technological capability investments. The Pentagon had short-range planning forced on it too. The Secretary of Defence requires the military to plan for conflicts (or lower-level contingencies) with country X, Y, or Z or for homeland defence incident A, B, or C.
Most of these short-term plans are obviously classified. Sometimes they focus on countering an adversary. Sometimes they focus on securing the homeland or preparing America’s cities and towns for natural disasters. In each instance, the military and parts of the national security community have to imagine scenarios, identify objectives, and determine the components required for an effective contingency plan to succeed. From those plans, exercises and exercises and exercises follow.
There is a connection between long-term and short-term planning. Longer-term strategic planning like the QDR sets strategic goals and objectives for four or five years. It identifies major technological expenditures for future budget years, like the building of aircraft carriers, new scientific research, or the development of any military capabilities that the intelligence and national security community deem vital for the long term. Short-term plans force you to work with what you have today – and sometimes the planning and operations process identifies gaps for the future. They should nest within the broader strategy for the future.
The habit of thinking strategically doesn’t come naturally to everyone. If it’s not forced on you from the outside, like through Congress or another regulation, the only way to do it is to force yourself.
Executives can take the lead by setting planning requirements. Boards can play a part too. Employees sometimes resist strategic planning. It takes time and requires effort, but it almost always becomes a valuable, creative process for the company. Nine times out of ten, an organisation will leave a planning and strategy exercise better aware of its strengths, weaknesses, opportunities, and risks than at the start – and with a greater sense of strategic purpose around interests, goals, and objectives.
Start today to develop a habit for strategic thinking. Do it regularly. Carve out time. Bring others in. Questions can help drive the discussion. How are trends aligning to present opportunities and risks? What are goals from within the cybersecurity landscape, and what obstacles lie in the way? Have you thought about how potential adversaries could exploit your overall weaknesses and risks? How can you capitalise on your strengths? Frame these questions over short- and long-term timeframes.
Outside of regulation, it all starts by forming a habit for
doing the thinking.
Continue the conversation regarding strategic planning at Cyber Security X, Register your interest here.