Page 76 - Cyber Warnings
P. 76
fully patched, while an MOE might be how well protected the company’s Intellectual Property
(IP) is. MOP tend to be much more specific and under the control of the CISO while MOE are
harder to measure but are the measurements that really matter. Good MOP’s will contribute to
MOE’s but it is always tempting for CISOs to measure the things that are easy to measure vice
the important things. Patching systems is a good thing, but does not guarantee that IP is
protected, numerous other things will need to be done as well. The mission analysis done to
identify cyber key terrain will help guide the development of meaningful MOEs that can help a
CISO understand how well they are doing in a similar way to military strategists.
There are seven useful strands of strategic thought that can be extracted from military strategy
and repurposed to great effect by modern CISOs. That there are so many useful lessons
applicable to CISOs should not be that surprising; cyberspace attacks on businesses are similar
to physical warfare because in both cases humans in conflict are at the heart of the matter and
this human dynamic has great impact. The first lesson that CISOs can pull from the strategic
theorists is the importance of ensuring that their objectives are always tied to the larger
business objectives and that security for its own sake should never be pursued. The second
lesson is that the adversaries attempting to attack or disrupt business systems will respond
dynamically and often in unexpected ways to every action taken by defenders.
This dynamic maneuvering is available to defenders as well who need to be agile and
responsive while defending the most important cyber terrain that should be identified via the
third lesson that a defender must understand and focus on the right center of gravity. The fourth
lesson suggests that an indirect approach is often more fruitful than charging straight into every
problem and the fifth principle of flexibility and resiliency is most often needed to enable that
indirect approach. The sixth lesson from military strategy is on the importance for a CISO to
understand both their actual situation and that of their adversaries as accurately as possible and
the final seventh lesson is on the importance of measurements and metrics. An organization will
normally get more of whatever it values and measures so it is critical that a CISO measure the
right things that lead to the desired objectives and end state. All of these seven principles and
lessons can help a CISO be more effective in the fast moving and technologically grounded
world of today’s organizations, and when the principles are combined, the synergy amongst
them is even more powerful.
1 Todd Fitzgerald and Micki Drause, ed. “What You Told Us: A CISO Survey” in CISO Leadership: Essential
Principles for Success, (Amazon: Auerbach Publications, 2008), 3.
2 William D. Bryant, International Conflict and Cyberspace Superiority: Theory and Practice (London: Routledge,
2015), 208-210.
3 A good definition of OT is, “hardware and software that detects or causes a change through the direct monitoring
and/or control of physical devices, processes and events in the enterprise.” Gartner, “Operational Technology (OT)”
Gartner, http://www.gartner.com/it-glossary/operational-technology-ot.
4 The top definition from Merriam-Webster is, “of or relating to a general plan that is created to achieve a goal in
war, politics, etc., usually over a long period of time.” Merriam-Webster Dictionary, “strategic” Merriam-Webster,
Incorporated. http://www.merriam-webster.com/dictionary/strategic. That type of definition is very broad and not
very specific.
76 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
