Page 69 - Cyber Warnings
P. 69
The Strategic CISO: Learning from the Masters of War
There are seven useful strands of military strategic thought useful for modern CISOs. The first is
the importance of ensuring that CISO’s objectives are always tied to the larger business
objectives. The second is that adversaries will respond dynamically and often in unexpected
ways to every action taken by defenders and the third that a defender must understand and
focus on the right center of gravity. The fourth suggests that an indirect approach is often more
fruitful than charging straight into every problem and the fifth principle of flexibility and resiliency
is most often needed to enable that indirect approach. The sixth lesson from military strategy is
on the importance for a CISO to understand both their actual situation and that of their
adversaries as accurately as possible and the final seventh lesson is on the importance of
measurements and metrics.
The Chief Information Security Officer or CISO is a relatively new phenomenon. In medium and
large firms they have gone from almost unheard of in the early 2000’s to very common in less
1
than a decade. While a CISO’s role and scope of responsibility can vary from firm to firm,
generally they are responsible for the defense of business and enterprise networks from
attackers of all levels from unsophisticated attackers running tools or “script kiddies” up through
2
nation state level attackers. The responsibilities of a typical CISO have also started to expand
to cover not just Information Technology (IT) but also Operational Technology (OT) as the
3
importance and vulnerability of those systems has become more broadly understood. CISOs
most often come from an IT background as that is where the bulk of their responsibility has
traditionally been. Because of their technological focus, CISOs are often admonished to be
“strategic” instead of tactically focused on technology. But, what does it mean for a CISO to be
strategic?
4
There are few words in the English language abused as often as “strategic.” Official definitions
abound but for many people a “strategy” has become almost synonymous with a plan and is
simply a concept of how something is to be accomplished. Military thinkers, on the other hand,
have drawn a firm distinction between planning and strategy with strategy being more about the
“why” and planning about the “how.” Is there something for CISOs in the thousands of years of
carefully recorded thinking about military strategy that would apply to their business focused
strategies?
Physical warfare can be thought of as analogous to attacks in cyberspace since in both cases
humans in conflict are at the heart of the matter. Accordingly, there are useful strands of
strategic thought that can be extracted from military strategy and repurposed to great effect by
modern CISOs. Before pulling out specific strands of use to CISOs, it is worthwhile to briefly
look at some well-known concepts of what strategy is, and how those concepts might apply to
the problems faced by a CISO.
Academics who study strategy and warfare like nothing more than to endlessly debate the
definition of strategy, however, for a CISO, I think that Colin Gray’s definition is the most useful
when coupled with additional elements from J. C. Wylie. Gray’s definition of strategy is
5
essentially that it is the, “bridge that connects the worlds of policy and military power.” Good
69 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
