There are tools, skills, and a science to creating an effective approach to enable organisations to move fast and defend against an ever-changing opponent, says Phil Quade
The natural attraction of humans to speed has been a part of our history from the time we could walk upright. Whether by foot across land, in boats on the water, or being pulled by an animal, speed was a part of our ancestors’ survival plan, social fabric, and continuing intellectual quest. In modern times, billions of dollars are spent on the sport of racing just about everything. But one of the most complex integrations of speed and humans is that between human and automobile.
Whether it is for the sport of a high-speed thrill around a track, across the land in amazing road races, or as a part of our survival on the part of those who protect society by driving fast to protect and save lives, people have gotten good at driving automobiles fast.
As with anything else, there is a science, skill, and methodology to manipulating a vehicle into speeds faster than the norm, and the failure of not understanding that typically has a devastating effect. For example, not understanding at what point of a curve to accelerate or brake can cause you to roll your vehicle, not understanding the dynamic force of an object in motion will cause you to lose control, and not understanding acceleration inertia delay will cause you to lose your race.
In cybersecurity, the same is true of a leader managing the objective of being effective in the face of speed. There are tools, skills, and a science to creating an effective approach to enable organisations to move fast and defend against an ever-changing opponent. Many elements can assist you in delivering against that objective, but the following are practical skills that you can start using today.
Elements of force multiplication
The military has been using the term force multiplication since the beginning of organised military doctrine hundreds of years ago. The concept is relatively straightforward: Apply additional assets to your common core operating capability (people), and it accelerates and expands their effectiveness. For example, give an army the asset of intelligence, and its operating impact will be greater than it was before it had that information. Give ground forces the capability of GPS location, and they will be faster and more accurate than they were with the same amount of core resources prior to that technology.
As a practitioner in digital infrastructure leadership, you can enable your organisation to strategically focus on the need for speed through the same use of force multiplication. By aligning to the elements of speed that most affect your mission scope, you can add levers that will multiply the abilities of your resources. Perhaps it’s intelligence, automation, or new technology. In some cases, it may be the use of a third party or the ability to have access to data. Whatever it is, you have an opportunity to manipulate and accelerate your current capabilities to meet the need for speed through the simple application of resource elements, resource combinations, and resource alignment.
Inertia
Books have been written on the laws of motion, and great strides in science have been gained through the study of motion and speed. The fundamental laws of motion still apply, and the truth of the principle that ‘things in motion stay in motion’ is undeniable. In the context of speed, cybersecurity, leadership, and your job, the ability to act fast starts with the basic ability to act. In this arena, inertia is counter to growing in capability and speed over time. Often, we wait too long to enable our organisations with capabilities because of limited funding, resources, or just wanting a plan that is 100% complete every time. This approach is not helpful, nor is it necessary, because it will inevitably result in being too late to begin to create a necessary capability at the time it is most needed.
A simple tool in the development of operational effectiveness in the face of speed is to create supporting services, resources, and capabilities aligned with the scope of your mission that will be most applicable in the core areas of prevention, detection, response, and recovery. The idea is not to create these capabilities at 100%, but rather to have a baseline operating framework, knowledge, and understanding that can be refined and used over time. By maintaining this aggregate line-level capability, ensuring you and your organisation understand it, adding it to your concept of operations, and knowing not only how it is applied but how to grow it, you can implement resources faster than if you were starting from scratch. Even though they may be minimal in normal operations, your ability to grow them fast and apply them faster will be significantly greater than if you had to start from the beginning.
Prioritisation
A key capability often missing in an organisation’s ability to execute at speed is its ability to prioritise. Although in our world, many if not most things seem to be equally critical, the reality is that there is always a pecking order and prioritisation of action and attention, and recognising that is crucial to making smart, informed, and rational decisions that enable speed. As an operational leader, you should always have these three priority lists on hand, updated, and ready to use in your decision-making process:
- Critical asset protection priorities. These are the assets, systems, processes, or functions that run your business. If you had only $100 to spend, what would you spend it on? This discussion should be inclusive of your business to ensure you understand what it takes to go to market, what enables your business to operate, and what key assets hold the most value to your company.
- Risk prioritisation. This list is all about your focus. What projects are most critical to resolve your value-at-risk? Where can you deprioritise to affect other priorities, and where can you move resources to scale faster?
- Urgent action defence protocols. These are pre-negotiated/ decided actions for when things go wrong. In layman’s terms, which part of the body can I cut off to save the head? When catastrophic issues occur, timely decisions are necessary to prevent further catastrophe. Who can order the shutdown of a business line, and when? What thresholds require automatic action, such as turning a data centre dark? Who has the authority to call law enforcement if needed? The most critical part is to get these hard-to-make decisions on paper, including what would trigger them, and ensure agreement across the entirety of the business on how to execute them.
This is an edited extract from The Digital Big Bang: The Hard Stuff, The Soft Stuff, and The Future of Cybersecurity, by Phil Quade (Wiley, 2019)
Phil Quade is the CISO of Fortinet. Phil brings more than three decades of cyber intelligence, defence, and attack experience working across foreign, government, and commercial industry sectors at the National Security Agency (NSA) and partner organisations, such as US Cyber Command, the CIA, and others.
