Oftentimes, it is said, we fight the last war. It happens when strategists fail to account for changes in the security environment, like the birth of the machine gun, the tank, or the improvised explosive device – technological innovations that altered how conflicts unfold.
Today in cybersecurity, organizations are still overly focused on securing the perimeter – on keeping intruders out of a network. While perimeter defense is a key part of the total security stack, it is not sufficient for effective cybersecurity.
We know from history that it’s not a question of if but when an intruder will break into a data center. Once inside, absent internal security systems, intruders almost always have the keys to the kingdom and can rove around unencumbered until they get their hands on an organization’s crown jewels. See, for example, China penetrating the U.S. Office of Personnel Management, or the attack on Singapore’s health service, SingHealth.
Organizations need to invest for the day when their perimeter defenses fail. And most often, they haven’t. Why?
Why doesn’t every major governmental organization adopt the “assume breach” mentality and invest in defense-in-depth strategies? The answer comes in part from a deficiency of habit. Strategic and scenario planning can help organizations get ahead of threats. Such planning requires expertise, sure – but above all it requires the regular habit of setting aside time to think about and plan for the future. A habit that every leader should follow.
At the Pentagon, we had strategic habits forced upon us from the outside as well as from within. The process continues today: Congress mandates the Quadrennial Defense Review (QDR), a four-year cycle of policy planning and budgeting to force the Defense Department to do long-term strategic planning. The QDR drives policy as well as technological capability investments. The Pentagon had short-range planning forced on it too. The Secretary of Defense requires the military to plan for conflicts (or lower-level contingencies) with country X, Y, or Z or for homeland defense incident A, B, or C.
Most of these short-term plans are obviously classified. Sometimes they focus on countering an adversary. Sometimes they focus on securing the homeland or preparing America’s cities and towns for natural disasters. In each instance, the military and parts of the national security community have to imagine scenarios, identify objectives, and determine the components required for an effective contingency plan to succeed. From those plans, exercises and exercises and exercises follow.
There is a connection between long-term and short-term planning. Longer-term strategic planning like the QDR sets strategic goals and objectives for four or five years. It identifies major technological expenditures for future budget years, like the building of aircraft carriers, new scientific research, or the development of any military capabilities that the intelligence and national security community deem vital for the long term. Short-term plans force you to work with what you have today – and sometimes the planning and operations process identifies gaps for the future. They should nest within the broader strategy for the future.
The habit of thinking strategically doesn’t come naturally to everyone. If it’s not forced on you from the outside, like through Congress or another regulation, the only way to do it is to force yourself.
Executives can take the lead by setting planning requirements. Boards can play a part too. Employees sometimes resist strategic planning. It takes time and requires effort, but it almost always becomes a valuable, creative process for the company. Nine times out of ten, an organization will leave a planning and strategy exercise better aware of its strengths, weaknesses, opportunities, and risks than at the start – and with a greater sense of strategic purpose around interests, goals, and objectives.
Start today to develop a habit for strategic thinking. Do it regularly. Carve out time. Bring others in. Questions can help drive the discussion. How are trends aligning to present opportunities and risks? What are goals from within the cybersecurity landscape, and what obstacles lie in the way? Have you thought about how potential adversaries could exploit your overall weaknesses and risks? How can you capitalize on your strengths? Frame these questions over short- and long-term timeframes.
I will talk more in the coming weeks and months about best practices for leaders and organizations around long-term and short-term planning for cybersecurity. Outside of regulation, it all starts by forming a habit for doing the thinking.