Why your security strategy should not be created in a vacuum

“His army was small, undertrained, undersupplied, and fragile. He waged a war mostly of defense, deliberately avoiding large formations of British troops. For all the rhetoric, most of his maneuvers were pinpricks against a stronger, bigger enemy. Hit and run. Stick and move." -Ryan Holiday

security strategy

Battle of Trenton

Credit: Hugh Charles McBarron, Jr.

The quote above is referencing the Army of General George Washington. He led a comparatively small, undermanned, undertrained, and undersupplied army. As a result, he could not fight the British using conventional methods. Washington had to develop a strategy that reflected the abilities and resources under his control. To do otherwise would have resulted in almost certain defeat.

Today, our enterprises, are being attacked 24/7 by small enemies that use the same type of tactics as Gen. George Washington. Our enemies use a series of "pinpricks" to infiltrate our networks, hide themselves, and move around at will. Your organization is well equipped, well funded, and slow. It requires teamwork and time to make changes. All the while the enemy can stop on a dime, change course, regroup, and continue attacking.

[ ALSO ON CSO: Why written policies are vital to your cyber strategy ]

They gain a lot of momentum very quickly because they don't play by the rules. Your enemies have one goal in mind, and that is to gain unauthorized access to your information. They are free from serving the interests of multiple stakeholders and unencumbered by business processes. Furthermore, they don't have to answer to shareholders or government regulators.

If you want to defend your firm, please consider the following.

The line of least expectation

Take a step back, then go around the problem. Find some leverage. Approach from what is called the “line of least expectation.”-Ryan Holiday, The Obstacle is the Way

The enemy hits and moves, inflicting small wounds that eventually lead to significant losses. Take a moment and consider the information from the Verizon DBIR. Now ask yourself "how does the enemy view us?" The answer is rather quite simple. Comparatively, corporate America seems slow to react, lacking the personnel to defend themselves, and technologically bloated. Your firm is sophisticated technically but requires people and processes.

Create leverage

"If we're starting from scratch and the established players have had time to build up their defenses, there is just no way we are going to beat them on their strengths. So it's smarter to not even try, but instead, focus our limited resources elsewhere."-Ryan Holiday, The Obstacle is the Way

To turn this in your favor, you have to clear the obstacle and blaze a trail. Technology is irrelevant until you learn to support it with people and processes. Security is not just the responsibility of the IT department. It is the responsibility of everyone to keep the organization safe. Changing the prevailing security culture should be your priority. Then you begin creating policies and process that will leverage your technology.

The people attacking our networks only have to get it right once. Your defenders have to get it right all the time. Do you stand a better chance if only the IT department bears the weight of securing the organization. Or does spreading the responsibility among all stakeholders create more leverage.

Little defeats big

“We’re in the game of little defeating big. Therefore, Force can’t try to match Force”-Ryan Holiday, The Obstacle is the Way

Gen. George Washington won because he recognized that rules are good until they aren't good any longer. He chose to battle the British Army by using unconventional methods that leveraged the strengths of his people. The same is true of cyber criminals who attack our networks. They have chosen to play by a different rule book. A rule book which swings the advantage in their favor. They count on your organization being big, slow to react, and slow to change.

Since our firms cannot win playing by the same rules, it is time to re-engineer the rule book. In the U.S. Army, all military occupational specialties learn basic combat skills because winning the battle is everyone's responsibility. Everyone has to understand that winning is a team responsibility. Winning on the cyber battlefield is more about defense than offense.

Look deep within your organization and determine what is helping and hindering. Shed the burden of anything that is not aiding in your defense. Chances are you cannot move with the agility of the little guy, but you have a lot of advantages. You have numbers, resources, and sheer willpower. It won't be easy but on the cyber battlefield, large can defeat little.

I always get asked about the tools and technologies needed to build a sound cyber strategy. That is the old school mentality which believes future success is determined by throwing money at problems. When, in reality, your success depends on developing your People, your Processes, and your Technology. Cookie cutter strategies formulated in a stove-piped environments won't work any longer.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.