In military operations, good leaders never make a move without the best available intelligence and a strong sense of situational awareness. To do otherwise is tantamount to flying blind, something a good pilot or business leader should avoid.
Unfortunately, too many leaders of industry and commerce seem to be flying blind in today’s cyber domain.
“The Cyber-readiness Reality Check,” an independent survey recently commissioned by my company, CounterTack, Inc., reveals that more than one-third of cyber security executives at companies with revenues greater than $100 million are unable to see an attack once it finds its way inside the perimeter of their systems.
This lack of awareness may help to explain why only about half believe they’ve been targeted by advanced threats within the past year, despite industry data showing the number of these organizations under attack is much closer to 100%.
The problem is exacerbated when senior leadership defers to the IT department in all matters pertaining to information security. “That’s our CIO’s responsibility,” is a comment I often hear when speaking with senior and chief executives about cyber defense. This attitude is especially prevalent at financial services entities.
While IT security departments certainly must bear responsibility, the executive leader at the top of any organization should understand and take ownership of the problem if security is to have a fighting chance of attaining the resources needed for effective self-defense.
Today’s advanced and evolving cyber challenges require a new approach and dedicated resources, but many organizations seemingly have yet to figure this out. Nearly half of survey respondents say they need a better-educated security team with 44% indicating a lack of time or resources as the reason they don’t have one.
Other survey data indicates cause for optimism but also some misguided enthusiasm. According to survey responses, most organizations favor the idea of a military-style approach to cyber defense (emphasizing real-time intelligence gathering and situational awareness) – but more than half thought their companies would be well served by the ability to “strike back” against their attackers.
In my opinion, this mindset reveals misplaced priorities. Enterprise should focus on its core business, while defending the most critical assets, not striking back at unseen adversaries.
This is not to say that those responsible for cyber security can’t learn from the military when it comes to playing defense. From my experience, I believe two of the most important lessons to apply in cyber space relate to intelligence and adaptability.
— First, real-time situational awareness and intelligence enable an active and effective defense.
— Second, the battlefield is ever changing, and this requires constant monitoring, assessment and adjustment.
Once you know where your enemies are and what they’re doing, you’ll find the best defense is a pro-active posture – one that enables you to understand, isolate, avoid and deflect – or even deceive – your attackers.
The ancient Chinese military general and author of “The Art of War,” Sun Tzu once said, “It is best to win without fighting.“ I couldn’t agree more.
Fox Fallon served as commander of U.S. Pacific Command from 2005 to 2007, and U.S. Central Command from 2007 to 2008. He is now chairman of the board of CounterTack, Inc.