Finally, speed is a significant financial lever. Beyond the normal cost considerations of time to acquisition, time to deployment, and other accounting mechanisms that manage the total operating cost of programs, projects, and operations, the reality is that the speed of the next generational digital economy and the infrastructures you protect will essentially shorten the lifespan of any given technology or capital investment in your cybersecurity defense architecture. Technology in a normalized information technology portfolio is rationalized into a three- to five-year investment with a depreciation scheme that has been the standard for multiple decades. However, with the advancement of the criminal use of technology, protective and defense technology lifespans have been greatly reduced. Through artificial intelligence (AI) and machine learning (ML), and the use of intelligence services, criminals can now identify, recalculate, and react to technology in record time, sometimes reducing the expected lifetime of a cybersecurity asset and investment from years to months or even days.
This chapter focuses on strategies to understand, plan for, and affect the impact of speed on how you think about and execute your responsibilities in defending your business or agency.
THE STRATEGIC IMPERATIVES
You may think that to align to the change in speed, you simply have to move and act faster. Although in some cases that is true, there are better ways to approach operational acceleration and excellence in the face of dynamic change than fighting speed with more speed. How we think, act, and instrument our protection portfolio and operations are all key aspects in making this dynamic shift to operational enablement in the age of speed. The reality is that the world, technology, and threats will only continue to gain momentum, and if the only tool in your toolbox is an ability to run faster, you'll soon realize the limits of that way of thinking. Strategic imperatives such as risk, intelligence, transparency, and action-based decision making are additional tools that when learned, practiced, and mastered will create new capabilities that are far more effective and sustainable than speed itself.
THE PURPOSE OF YOUR MISSION
Before you can decide how to best apply your newfound strategic tools, you must know the “why” of the “how and when” you will need to use them. Every business, industry, and organization is different. The reasons you need to protect your organization and how you protect it are important. Why you do what you do feeds into your organizational risk appetite, defines your value at risk, and informs key decision-making points such as the level of accuracy needed versus speed and financial investments. Working through a normalized risk process, or even something as simple as sitting down with your business leaders and discussing the downstream residual impact of cybersecurity failure, will help inform and shape your mission parameters. Are you part of critical infrastructure? Would intellectual property loss ruin your business? Can your business ecosystem outside your control cause irreparable damage? These questions and many others should be the foundational elements of how you describe your “business of security” and what your mission focus is. In turn, as you begin to consider the implication of the speed used against you and the speed that will help you accelerate your effectiveness, a deep understanding of your mission imperatives in alignment with the following five critical areas of planning will ensure your success in the hyperconnected and hyperspeed world in which you operate:
1 Understand your environment. Your success depends on your direct ability to succeed within the environment in which you operate. To do that, you need to understand your environment through transparency, knowledge, and access. This includes crucial elements such as understanding your critical assets, a holistic understanding of the resources and technology deployed through a comprehensive configuration management database (CMDB), and data flow diagrams that detail how information flows through your business. Just as important is the understanding of your third-party ecosystem, your supply chain, and how your services are in effect an integrated component of your customers' supply chains. Your ability to quickly understand the impact of any given event through this level of transparency is a fundamental component to being able to think and act quickly.
2 Drive safely at high speed. Your business success depends on speed to market and speed to respond. Your job is to get everyone there safely. This sense of speed enablement, or acting like the brakes on the car so your business is confident to go faster, requires a mature risk process. Effective risk programs have tiers of risk considerations and actions that create broad bands of flexibility and enable decision making based on preselected and informed risk formulas that serve as guiding principles. Spending time developing those mechanisms and allowing them to mature, educating your business, and just as importantly, educating your team will empower and enable all levels of the organization to recognize and facilitate business-based risk decision making at speed.
3 Plan ahead. Your opposition is well funded, utilizing capabilities and decisioning guiderails that are faster than yours. As in an old-fashioned gunfight, the first one to put lead on the target wins. This means that you need to be comfortable with rapid decision making based on accumulated knowledge rather than absolutes and have a “gun belt” of premade decisions, actions, and plans on your side. For instance, if you have a ransomware incident that is less than x% contained, do you shut down your data center? If you are suffering a financial crimes attack, will you call law enforcement, and if so, what agency and what is their number? Simple efforts such as tabletop exercises or defining preplanned partners significantly add to your ability to react fast in times of crisis. Prepositioned decision making agreed to by your leadership also ensures that your business will understand, support, and expect clear action and leadership from you when needed.
4 See the big picture. You need over-the-horizon threat modeling. I think everyone would agree that seeing a speeding train coming at you is better than getting run over by one. Unfortunately, too many people concentrate too myopically on their own operating environment and never look up long enough to see the train coming down the tracks. The use of intelligence services, information-sharing partnerships, and other mechanisms that give you a view outside your business into adjacent industries, like competitors or aligned ecosystems, are great ways to measure and prepare for the potential impact of issues not yet affecting your business. This greatly enhances your time to prepare, plan, and react to situations and opportunities that too often are missed because of insular behaviors.
5 Make the most of limited resources. Managing a business with limited return on investment (ROI), no profit, and smaller teams takes a different approach. Not every industry has the mission criticality of a nuclear power plant or the financial resources of the financial sector, and most of us never will. But just because we can't build large operating teams doesn't mean there aren't methodologies we can put forth to make us more nimble and adaptable. For instance, sometimes less is more. Often, many of the services we use are not employed on a constant basis, and thus the costs associated with maintaining them or the skills needed to maintain them are wasted. Why not consider third-party contracting support for those services? And that's not just for limited services. If there are opportunities to leverage or utilize an ecosystem of providers to deliver core services at a lower cost, or to use automation and cloud-based services to maintain a more current and manageable portion of your operations, why not consider them? Sometimes, using simplified capabilities rather than an entire offering allows you to have those capabilities most necessary to react fast for the most critical issue, while maintaining a profit and loss (P&L) reasonable for your business.
THE SCIENCE OF RACING: ACCELERATION, DECELERATION, HARD BRAKING, AND KNOWING WHEN TO APPLY EACH
The natural attraction of humans to speed has been a part of our history from the time we could walk upright.