Author: Jonathan Reiber, Head of Cybersecurity Strategy
Oftentimes, it is said, we fight the last war. It happens
when strategists fail to account for changes in the security environment, like
the birth of the machine gun, the tank, or the improvised explosive device –
technological innovations that altered how conflicts unfold.
Today in cybersecurity, organisations are still overly
focused on securing the perimeter – on keeping intruders out of a network.
While perimeter defence is a key part of the total security stack, it is not
sufficient for effective cybersecurity.
We know from history that it’s not a question of if but
when an intruder will break into a data centre. Once inside, absent internal
security systems, intruders almost always have the keys to the kingdom and can
rove around unencumbered until they get their hands on an organisation’s crown
jewels. See, for example, China penetrating the U.S. Office of Personnel
Management, or the attack on Singapore’s health service, SingHealth.
Organisations need to invest for the day when their
perimeter defences fail. And most often, they haven’t. Why?
Why doesn’t every major governmental organisation adopt the
“assume breach” mentality and invest in defence-in-depth strategies? The answer
comes in part from a deficiency of habit. Strategic and scenario planning can
help organisations get ahead of threats. Such planning requires expertise, sure
– but above all it requires the regular habit of setting aside time to think
about and plan for the future. A habit that every leader should follow.
At the Pentagon, they had strategic habits forced upon them
from the outside as well as from within. The process continues today: Congress
mandates the Quadrennial Defense Review (QDR), a four-year cycle of policy
planning and budgeting to force the Defence Department to do long-term
strategic planning. The QDR drives policy as well as technological capability
investments. The Pentagon had short-range planning forced on it too. The
Secretary of Defence requires the military to plan for conflicts (or
lower-level contingencies) with country X, Y, or Z or for homeland defence
incident A, B, or C.
Most of these short-term plans are obviously classified.
Sometimes they focus on countering an adversary. Sometimes they focus on
securing the homeland or preparing America’s cities and towns for natural
disasters. In each instance, the military and parts of the national security
community have to imagine scenarios, identify objectives, and determine the
components required for an effective contingency plan to succeed. From those
plans, exercises and exercises and exercises follow.
There is a connection between long-term and short-term
planning. Longer-term strategic planning like the QDR sets strategic goals and
objectives for four or five years. It identifies major technological
expenditures for future budget years, like the building of aircraft carriers,
new scientific research, or the development of any military capabilities that
the intelligence and national security community deem vital for the long term.
Short-term plans force you to work with what you have today – and sometimes the
planning and operations process identifies gaps for the future. They should
nest within the broader strategy for the future.
The habit of thinking strategically doesn’t come naturally
to everyone. If it’s not forced on you from the outside, like through Congress
or another regulation, the only way to do it is to force yourself.
Executives can take the lead by setting planning
requirements. Boards can play a part too. Employees sometimes resist strategic
planning. It takes time and requires effort, but it almost always becomes a
valuable, creative process for the company. Nine times out of ten, an organisation
will leave a planning and strategy exercise better aware of its strengths,
weaknesses, opportunities, and risks than at the start – and with a greater
sense of strategic purpose around interests, goals, and objectives.
Start today to develop a habit for strategic thinking. Do
it regularly. Carve out time. Bring others in. Questions can help drive the
discussion. How are trends aligning to present opportunities and risks? What
are goals from within the cybersecurity landscape, and what obstacles lie in
the way? Have you thought about how potential adversaries could exploit your
overall weaknesses and risks? How can you capitalise on your strengths? Frame
these questions over short- and long-term timeframes.
Outside of regulation, it all starts by forming a habit for
doing the thinking.