Page 70 - Cyber Warnings
P. 70
strategy ensures that military force is applied in such a way as to further the political policy of
6
the state. This almost seems so obvious as to not be worth saying unless you consider any
number of historical examples where military operations took precedence over policy with
7
disastrous results for the nations involved. When applied to a CISO, Gray’s definition can be
modified to state that a strategic CISO should be the bridge that connects the two worlds of
business objectives and cybersecurity. Security should serve and enable business objectives,
never the other way around. Wylie adds one useful element missing from Gray’s definition when
8
he adds that strategy should also include a systematic way to measure its success. Defining
the goals, ensuring they are achievable and time bound while developing the metrics to achieve
them is a critical, but too often overlooked, aspect of organizational leadership.
Establishing what are often referred to as SMART goals is an essential element. SMART goals
9
are Specific, Measurable, Attainable, Reportable and Time bound. There are many benefits to
specifying and defining strategic goals. Lower echelons of your organization are empowered to
focus and organize their efforts to achieve the goals and prioritization becomes more achievable
because the tradeoff decisions can be evaluated in terms of goal achievement. This is just as
true of a CISO who should be able to determine if a given strategy is successful in supporting
the business objectives and then have the ability to demonstrate that level of success to the
leadership of the company.
While the basic concept of strategy is similar between modern business and traditional military
strategy, is that as far as it goes? What can a long dead 19th century Prussian philosopher of
war possibly have to say to a 21st century CISO that will be relevant and useful? Wherever
people have fought, whether on land, sea, or air the heart of the matter has been humans in
conflict who act, and react, in similar ways. As conflict has extended into space and cyberspace,
that still appears to hold true. Carl von Clausewitz, the aforementioned 19th century Prussian,
10
observed that war’s, “grammar, indeed, may be its own, but not its logic.” An interesting
development in cyberspace is that unlike the other domains, private companies have thus far
been expected to largely defend themselves in cyberspace, whereas in the physical domains a
11
business was not expected to defend itself from hostile aircraft or tanks. Some similarity may
be seen in merchant ships that were subject to attack, but in the modern era they were
generally defended by military members put on board for that purpose.
In our systems of systems world, both national defense and private industry are arguably more
codependent than ever before. Akin to the military protecting merchant vessels in WWII, civilian
industries and transportation have become more dependent on systems that are vulnerable to
cyber-attacks. Is there an emerging need to support and defend these vessels during times of
high threat or known attacks? Or does private industry fend for themselves with the persistent
cyber threats in the modern information age? Industry and military leaders are evaluating these
questions and seeking the appropriate balance. The necessity of providing military protection to
private industry was clearer in the industrial age such as the example of escorting merchant
vessels in WWII, but the dependence of cyberspace challenges the historical approaches to
these situations.
70 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
