Traditionally, tacticians in war have said, “The best defense is a good offense.” However, that statement couldn’t be farther from the truth when it comes to creating a cyberwar defense strategy.
We spoke with Joshua Douglas, Chief Strategy Officer of Cyber Services at Raytheon, to uncover other misconceptions about best practices for an effective cyber defense strategy. Douglas has nearly two decades of experience in helping global enterprises and government agencies secure their most prized business/mission assets.
During his past 11 years at Raytheon, he has served as the CTO for Forcepoint, overseeing Raytheon’s Cyber Security Intelligence Operations, Malware Concepts, Security Infrastructure Operations and Research Technologies tasked to produce effective forward-looking cyber software solutions to contain and control advanced threats.
These solutions are used to help commercial and government entities protect their enterprises and the global cyber supply chain from ever-changing advanced persistent threats and malware.
Christopher P. Skroupa: What are some of the common misconceptions about creating a successful cyber defense strategy?
Joshua Douglas: In short, three words: Culture, Complexity, Commitment.
I believe there are really three major misconceptions when it comes to a cyber defense strategy, centered around what I call the “Three C’s of Cyber: Culture, Complexity and Commitment.” Oddly enough, they have not changed in the last 20 years!
The first, culture. We often focus on what problems we are fighting, not why we are fighting the problems. The biggest threat we face against a successful cyber security strategy is not the bits and bytes we often protect and/or ward off. The truth of the matter is that people often make a cyber security strategy fail.
You must consider how you engage employees to be a part of the cyber security machine, and acquire the right talent to help drive security commitment from the top down. Without it, your cyber security strategy fails even before you execute the plan.
The second, complexity. As security professionals and technology junkies, we always want the shiniest tools to complete the tasks at hand. That means pushing more and more complexity into the environment. The key to a successful strategy is not to increase complexity. Rather, you must enact a plan which allows you to stay on pace with the threat, without expending more resources than the threats you are defending against.
The third, commitment. Creating a cyber security strategy can be as easy as copying one off the web, putting it in a document and sending it to everyone. This does nothing to drive commitment.
There has to be commitment from HR, Legal, Communications, Executive Leadership, etc., to build an effective strategy that can be executed and have a personal impact on every employee. That means cyber security leadership cannot be just security experts, they also have to be teachers and influencers who can explain to everyone why cyber security is important to the company and what value it brings to the roles of the individuals.
Skroupa: What aspect of cyber defense is generally neglected by executives? How should they address these gaps in their strategy?
Douglas: Executives are primarily expected to focus on the business requirements necessary to meet bookings and revenue goals on a daily basis. As a result, they typically do not think past what is required to recover from a breach, nor do they implement effective measures to prevent or decrease them in the first place.
Their focus should be on developing solid incident response plans, determining how effective their cyber security posture truly is using real life scenarios, training their staff to become human security sensors and proactively hunting threat actors.