Why Cyber Fails on its Own
Converged Security Teams are Hard to Field
Why do cybersecurity organizations systemically fail to get buy-in, secure and appropriate budget and resources? Why does the U.S. Department of Defense (DoD) routinely retool, redefine, and refocus its approach to military cyberspace operations? What is the need driving this constant evolution routinizing an endless budget-drain? As a career law enforcement (LE) pro recently asked me, “where does it all end?”
Teammates often hear me remark: “if you want new ideas, read old books.” I consider how history gives us many lessons in concepts we falsely believe are new. Nearly every security concept used in modern cybersecurity can trace their application back centuries and even millennia. From Athenian encryption to Chinese operational security along the Silk Road and beyond medieval guilds and trade secrets, we see the arc of security and the plane on which we stand.
“exquisite capability management and strategy mismatches”
Cyber concepts have morphed, spanning over 20 years of my professional defense, national security, and commercial experience. They provide some incredible insights. I’ve watched evolutions from the most advanced formations in the world and (more often than not) units that struggle to find their feet. Successful organizations succeed through a clairvoyant, task-driven culture. Those that struggle constantly chase an insatiable appetite for budget and resources generally lackunison and often missing purpose. There is a very good reason that in upper echelon military formations we see terms like task and force in the title.
Highly effective organizations have budget and resources, but it’s their collective purpose, mission, and objective that drives this kind of performance. If you have experienced this sort of pure cohesion, you know the difference. Converged organizations typically have a huge toolbox across every member of an ultra-talented team. In my lifetime, those security organizations using cyber as a tool among many tools exercise effective converged security, day-to-day — year-to-year. It’s remarkable!
Some may argue this is due to budget or resource availability. The real head-scratcher is that some of the biggest organizations with the biggest budgets available cannot outpunch a well-tuned team. Organizations need to know their objective, which strategy to apply and to which audience they apply.
Putting a finer point on cyber failures: the DoD has an epic past of exquisite capability management and strategy mismatches. The mismatch occurs across military services and between governmental and corporate worlds. The problem is not that cyber is unique. The problem stems from a lack of appreciation for organizational integration and jointness. Commercial cybersecurity problems are not complete outliers when compared to their defense and national security cousins. Let’s explore three focus areas to help illustrate these failures across collision, precision, and expression as a frame through which to appreciate converged security’s overlap with cybersecurity.
1 Collision: Military service doctrine enables a wartime mission through peacetime budgeting strategy. Why? Organizational survival and limited converged thinking are often at odds. Do our teammates have an over-reliance on exclusive terms of craft that results in talking past one another? Is our culture requiring an overly restrictive view on the role of cyber in the broader context of security?
Dan Builder’s 1989 study on “The Masks of War: American Military Styles in Strategy and Analysis” unveils some remarkable stories about the inner workings of the world’s most effective institutes. Builder paints a view on the caricature of each DoD service — the Army, Navy, and Air Force. Builder details the security the DoD was required to provide, and how each service built a strategy. Astonishingly and despite service strategy differences, the budget, personality, and sustainable security capability are collectively driven by survival for exactly the opposite purpose required by their mission. DoD service branches built strategies for budget survival in times of peace and stability rather than the required wartime security and objectives.
Corporate cybersecurity is no different. Collisions from the very top are sadly normal. Why are crisis response plans and cyber crisis response plans different? Why are IT and OT cybersecurity activities untethered from physical security? Why does cyber threat intelligence struggle to meet strategic intelligence requirements? Privacy and legal team unease around cybersecurity despite knowing that “you can have security without privacy but not privacy without security.” Our challenge is often related to inconsistent language and the unwitting transmission of false precision.
2 Precision: Warfighting domains complicate converged joint operations, plans and strategy. How complicated is coordinating across functional, regional, and authority equities rather than a single purpose-built empowered workforce? The ability to adequately orchestrate such an organization comes down to the ability to routinely exercise precision. Calls for flatter structures appear to translate into calls for large under-skilled capability and assumed budget gains.
The DoD defines five warfighting domains, adding cyberspace most recently in 2022. Presently, the domains of air, land, maritime, and space sound relatively innocuous. Military forces are built to dominate a domain but since the introduction of the Air Force have complicated which force had which capabilities and how they were prioritized. The introduction of maritime based naval bombardment of land targets makes the point clear. The navy was disinclined to provide close air support supporting a completely different domain. Was the Navy prioritizing an enormous warfighting differentiator for the Army to be successful? The transaction is limited by service equity and is often seen as ineffective.
This intricacy puts a region, a function, and organizational requirements at odds with each other thus driving cost in a predicable direction. It also drove capability in a converse direction. If the Navy deprioritizes air craft carrier-based land assaults, can the Army successfully propose an Army aircraft carrier option to support its own mission?
Military cyber operations exemplify this collision through professional experience but is discussed at length in Builders study. A regional command assigned with land forces (Army) expertise might require a cyber operation targeting an adversary-aligned force (Air Force) that seeks to use Navy cyberspace capabilities on a ground target. Successfully employing converged multi-domain operations will prove to be possible not as a feature of joint warfighting doctrine but as a result of good networking and centralized leadership. It’s the challenge U.S. interagency task forces were built to solve. Unsurprising, this is not an exclusively military hurdle.
In commercial security, artificial boundaries have routinely limited the impact of right-sized cybersecurity formations. The equities in legal, privacy, third-party risk management, and business operations are so purposefully intertwined that it can be easy to forget the collective task relationship to our day-to-day purpose. And, like the military the private sector exercises its mission for its ends or to survive market realities.
Private industry often fields a team funded for a limited threat environment while expecting an under-developed workforce to effectively detect, respond to, and recover from catastrophic and unending business impact. We have taken too little value in assessing our workforce needs and have imprecisely articulated our resource needs while expecting a security team to perform under pressure for a mission not routinely exercised. The military’s off-azimuth peacetime strategy hasn’t been as affected as the private industry, but massive budgets and secrecy offer a differentiated advantage. Not surprising that constant revisions in military cyberspace operations jargon have diverged from the potential for cleaner public private partnerships in holistic cybersecurity.
3 Expression: Disparate cyber jargon from defense to industry limits adoption and comfort due to over-reliance on exclusive terms. Agreeing and adhering to a routine and widely acknowledging terms can be a tool of power projection as cyber terms tend to exclude portions of an audience.
Questioning why we use cyber terms like hooking, sniffing, and war-dialing is nearly as ridiculous as the military’s use of terms like effects, forces, and methods. What in the world do these mean, and to who? It’s no wonder why we struggle to communicate — not just Python or R, but Navy or Joint, NIST or NSPM-21. Sprinkle in English-as-a-second-language speakers without interpretation challenges — we as a profession are largely disadvantaging ourselves.
Terms and words are important tools of leaders and workers alike. Having a core set of terms helps to ensure the expression of an objective, strategy, and audience is received as it was intended to be transmitted. We have a responsibility to be more inclusive in our language and drive staff to broad definitions that can be widely agreed.
The term asset is a great example often connoting devices or systems. But NIST includes an incredibly broad definition that includes people. Zero- trust is almost always associated with network architecture, but there too is a failure to recognize that zero-trust starts with people. There are countless examples where real definitions are misused resulting in a need to create new terms rather than reform old ones. Even I have looked to redefine terms due to the strong, negative connotations associated with it. The problem is the point — we take too little time to create a system for terms of art, rarely enforce (through positive pressure) the accuracy of their use, and allow the magnitude of status quo to anchor us. So what to do…
Why do cybersecurity organizations fail, reinvent their purpose, and use budget as a measure of success? Clearly the answer is not simple nor straightforward. I can offer a few suggestions that might help lubricate the mind.
Cybersecurity organizations need to start with organizational requirements based on a reasonable horizon that does not undermine enduring vision. The failures are largely due to objective and strategy shortsightedness and collisions among organizational requirements. Sure, budget is a part of that — but as an enabling ability to control risk.
Cybersecurity organizations also need to contemplate converged model design and characterize its inherent cost and benefit. They are not for every organization nor are they a requirement to meet assessed top tier maturity. Converged security formations will empower people and enable a workforce with applicable and diverse skills. This builds inherent resilience across your team, and (if done right) between and across teams. Human-centric and Human-Domain Security will lean in favor of the converged model, but there are risks to enduring people acquisition, capacity, and retention. Again, budget is an enabler if your objective, strategy and audience are clear and established.
Budget stability and optimization is the golden hen but it should not be a guiding light or guardrail. Cybersecurity benchmarking often uses peer total cybersecurity spend, cybersecurity proportion of IT spend, and even total organizational spend. Look at successful professional teams throughout sports history — the Yankees, the Canadiens and Patriots. In their heyday, they had incredibly high retention, morale and will to win. Again, budget was there — but it was the hivemind of converged organizational styles that drove value, impact, and wins.
Where it all ends is a place that so empowers a portfolio of professions (in cybersecurity) that routine efforts to deny or manipulate technology confidentiality, integrity, and availability will start to exponentially approach zero. We are a long way from that place, but leaders with converged security experience will start to emerge as a key differentiator in the the global values competition. For leaders of converged security, harmonizing a team of professionals is the ultimate reward. Where will you start?
