Page 75 - Cyber Warnings
P. 75
Lesson 6: Know Your Enemy and Know Yourself
The sixth thing that a CISO can learn from military strategy is the importance of intelligence.
Sun Tzu focused extensively on intelligence and famously stated that if you, “Know the enemy
28
and know yourself; in a hundred battles you will never be in peril.” For a CISO, knowing
yourself starts with enterprise architecture and mission analysis, knowing the enemy involves
staying up to date on what the threats to the organization are doing. Most CISOs do not have
the resources to engage in serious intelligence work so this is an area where hiring this role out
to one of the firms that specializes in this work can be very helpful. CISO’s should not just care
about what is being said on the dark web about who is thinking about attacking who, but should
seek out the latest technical based intelligence and profiles that may not have made it into
commercial signature based scanners yet.
Dynamic cyber intelligence collection has become paramount. Microsoft has adopted this
concept and receives notifications from their operating systems when they detect new potential
threats. Defense and intelligence organizations should develop a joint center with partnerships
of private companies to protect the critical systems and government policy is clearly headed in
this direction. Strategic CISOs across various organizations should partner to build a security
council and sponsor joint capabilities where that makes sense for their business. Most
organizations agree that you must understand your threat. With the cyber threat becoming so
dynamic and persistent, more partnership to collect the threat and intelligence data is important
and becoming more so every day. The cyber intelligence center would both collect and
disseminate information to trusted organizations with a need to know to include private industry.
Both software and hardware manufacturers would be potential recipients of some of the
collective intelligence.
Lesson 7: You get what you Measure so Choose Wisely
A final major lesson from military strategy is the importance of measurement and assessment;
without it a combatant or CISO has no idea if what they are doing is moving them closer to their
desired end state. J.C. Wylie rightly tied measurement to the heart of strategy and included a
system of measures at its center. It is discouraging to see how many organizations do not even
routinely count and track the number of patches that have not been applied and report the
results to senior management. These are very easy and basic measurements readily available
to any CISO, but they are not necessarily the best measurements available.
Metrics should always link back to the business mission and the easiest things to measure may
not be the most important things. It has long been understood that measurement influences
behavior and in business. Just as in quantum physics, the presence of an observer will alter
reality. If the key security metric reported to management is the percentage of systems that are
fully patched, an organization may have very well patched systems, but are they secure? And
what does “secure” mean anyway within the context of the business mission and objectives?
The U.S. military tries to address these issues by having two different types of metrics,
Measures of Performance (MOP) and Measures of Effectiveness (MOE). An MOP measures
how well a task is being accomplished while an MOE measures how close the organization is to
29
its desired objectives. An example of a MOP might be the percentage of IT systems that are
75 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
