I have an impression that in the course of the day to day grind, many security leaders have lost sight of a core tenant of cybersecurity: that it is adversarial. Ultimately, the core of most cybersecurity risks is defenders trying to stop attackers. Both sides are seeking to outwit each other. This contest is mediated by a number of variables, such as technologies, law enforcement, and geopolitics, but at its core cybersecurity is humans at their keyboards. The skill level of the two sides significantly affects outcomes. I think this is something that many security practitioners understand implicitly but do not account for explicitly in security programs.
Finding the Right Metaphor
Openly discussing cybersecurity as an adversarial endeavor lets us draw analogies between it and other contested situations. These can in turn inform cybersecurity strategies. In America we have a tendency to discuss complex issues through sports metaphors, but I think that attempting to do so with cybersecurity can lead to erroneous comparisons.
For example, the closest sports analogy I can think of is F1 racing, where both technology and skill affect outcomes. That said, cybersecurity is full of anecdotes in which clever teenagers and small teams have run circles around much larger, better resourced organizations. I am not aware of any examples in which a teenager in a golf cart won an F1 race. The cyber security incidents for which we have details seem to indicate that skill–not technology–is the more significant variable in who prevails.
A better analog for cybersecurity may be the legal profession. Both fields include adversarial elements. Both rely on expertise for competence, yet a strong academic foundation does not inherently make one a competent practitioner. Finally, both cybersecurity and legal experts practice inside and outside organizations.
The legal profession is more mature and has openly self-organized based on considerations such as cost and expertise. On one end of the spectrum you may have a small town lawyer who practices in nearly every aspect of the law. Their rates are limited by what their region can afford. On the other end you have K Street law firms that employ experts in specific areas and have international client bases. They can charge significantly higher rates based on their expertise and reputation.
Expertise Matters in Adversarial Industries
We have begun to see a similar self-organization occur in the cybersecurity services industry. Some organizations are using automation and international resources to drive the costs of services down and make things like pen tests more accessible in the market. Other firms have cultivated specific expertise and reputations for tackling hard problems.
These analogies can lead to some potentially uncomfortable questions for cybersecurity leaders. Do you have the right expertise on your team? Put differently, if you are potentially a target for advanced persistent threats, are the members of your team at a comparable level of sophistication to a nation state? What proportion of time and attention do you pay to people operations compared to technical solutions, controls, compliance, etc.?
Separately, do you have the right sorts of relationships with third-party partners? Do they have the expertise to fill your own knowledge gaps? Zooming out, do you view your security vendors as partners? Have you identified the right security partner? If this discussion resonates with you, you may need to reconsider your standard business practices as they apply to security partners. For example, you wouldn’t select a lawyer through an RFP, nor would you rotate your counsel at a recurring interval.
In an adversarial cybersecurity environment, the skill and expertise of your team may be the most important variable in determining the effectiveness of your security program. Not compliance, not your tech stack. Do your people operations strategy and relationships with third-party partners reflect that?
This article is the first in a three part series exploring cybersecurity strategy from a big picture perspective. The next installment is here.