New Models Will Help Erase Cyber Strategy’s Bad Name
by Marty Trevino
One of the many core components of cybersecurity is S-T-R-A-T-E-G-Y.
Yet, strategy formulation of every type has gotten a bad name over time and this has extended into technical and cyber strategy. Cyber strategy is often little more than a notional meshing of technologies in the mind of a CISO or CTO, with very little on paper --much less quantitatively based.
Too much is done by touch and feel and not enough is based on research and facts – even though the facts are available. We frequently hear this in de facto statements made by cybersecurity professionals: "I know what technology works and what doesn't."
The Illusion of Knowledge
The neuroscience of decision-making tells us this staunch belief statement is the product of the brain fooling us into believing that we "see" everything, even when we actually are seeing very little. Daniel J. Boor put it best when he said, "the biggest obstacle to discovery is not ignorance; it's the illusion of knowledge."
It's here that cyber risk modeling can pay dividends and new conceptualizations such as meshing cyber risk modeling with cyber capability modeling show tremendous potential. Utilizing quantitatively-based cyber risk and capability modeling can and should be the basis for a cybersecurity strategy at the enterprise level.
This type of model can produce a set of informative visual analytics that can inform precisely where to "buy down" or accept risks. It is achievable for corporations, governments, or military organizations. If made dynamic through algorithmic updating and correlation, these models can automatically adjust to the changing threat environment.
Exhibit A: The Pandemic
Let's look at the pandemic as an example. We can aptly call COVID-19 a black swan that has fundamentally altered the cyber ecosystem in numerous ways. COVID-19 is simply one example of an event type that provides actors with a new target set, such as new contact tracing apps.
Consider this perfect storm of occurrences:
The public is willing to download contact tracing apps for fear of contracting the virus.
Hospitals and individuals looking for PPE gear are willing to open an email or PDF from a vendor saying they have masks, gloves and gowns in stock.
A new opportunity has presented itself with the racial issues in the US, as people are downloading BLM logos and messages every day.
Cyber actors around the world over are more than willing to use any of these diversions to compromise both individuals and corporations with fake downloads. Nation State actors have been quick to recognize a potential opening as attention and budgets are diverted.
These circumstances present real problems for cyber leaders. As we have seen, the environment is dynamic and complex. Cyber is still a very young domain and how to lead and manage this domain is still being defined.
One approach to tackle this challenge is to look at best practices, managerial methods and tools developed in other domains that might be applicable to cyber. One of the best practices to emerge in cyber is a transplant from the military kinetic domain is the concept of “capabilities.” The purposeful and methodically building of capabilities within a framework for executing mission.
Military forces the world over have leveraged readiness and capability modeling for decades. The same approach works beautifully well in cyber. These models have the effect of focusing strategic thinking on the critical elements that enable mission. They can also help understand the posture of a cyber organization to answer critical questions such as “are 80% of my resources performing proactive or reactive tasks?”
Here is a basic mental model of how a capability model would function in cyber. It would underpin the national cyber priorities, they would also enable the achieving of tactical priorities. You could then understand what percent of dollars spent, and resources allocated were for offensive or defensive, which were proactive vs. reactive, and so on.
There are many new frontiers to cross in the cyber realm. In the coming weeks and months, we’ll delve more into visual analytics, readiness and capabilities modeling and the neuroscience of decision making. I’m looking forward to taking this journey with you.
Dr. Trevino is Chief Science Officer at InsightCyber.