Cybersecurity Lessons Learned from the 9/11 Commission Report

Organizations must move beyond misaligned goals, poor collaboration, and organizational intransigence that hamper cybersecurity efforts at enterprise organizations.

Cybersecurity and IT professionals would be wise to review the findings of the 9/11 Commission report published in 2004. The report provides a comprehensive analysis of events surrounding the attacks and points to a number of systemic problems in several areas:

  • Management. “The missed opportunities to thwart the 9/11 plot were symptoms of a broader inability to adapt the way government manages problems to the new challenges of the twenty-first century… Management should have ensured that information was shared and duties were clearly assigned across agencies, and across the foreign-domestic divide.”
  • The chain of command. “At more senior levels, communication was poor. Senior military and FAA leaders had no effective communication with each other. The chain of command did not function well.”
  • Emergency response. “Effective decision making in New York was hampered by problems in command and control and in internal communications. Within the Fire Department of New York, this was true for several reasons: the magnitude of the incident was unforeseen; commanders had difficulty communicating with their units; more units were actually dispatched than were ordered by the chiefs; some units self-dispatched; and once units arrived at the World Trade Center, they were neither comprehensively accounted for nor coordinated.”

These findings are frighteningly similar to what I observe at enterprise organizations all the time. Cybersecurity organizations continue to address risks as they did in 2005, with an assortment of disconnected point tools and manual processes. Enterprise organizations struggle to operationalize and share threat intelligence efficiently or effectively. Incident response processes are haphazard and IT-centric, while emergency response is often hampered by organizational friction and communication/collaboration issues between cybersecurity and network operations teams.

Fortunately, the 9/11 commission report didn’t just expose problems, it proposed a series of solutions for risk mitigation and process improvement. Here is a list of the 9/11 commission recommendations and how they should be applied to enterprise security:

  • Unifying strategic intelligence and operational planning. In enterprise cybersecurity, this means embracing threat intelligence consumption and sharing best practices and developing a formal documented incident response plan. Incident response platforms from vendors like Invotas, Phantom Cyber, and Resilient Systems may also be helpful here for operational planning, workflow management, and process automation. 
  • Unifying the intelligence community with a new National Intelligence Director. From a cybersecurity perspective, organizations must empower CISOs by having them report directly to CEOs or CIOs, rather than up through the IT chain-of-command. Furthermore, CISOs should be intimately involved in board-level risk assessment and management strategies. 
  • Unifying and strengthening congressional oversight to improve quality and accountability. In this regard, corporate boards and executives must make sure that they have the right level of cybersecurity education and knowledge to make sound strategic decisions. They must also be active and accountable for IT risk mitigation, security controls, and best practices.
  • Strengthening the FBI and homeland defenders. This may be the most important recommendation of all as many cybersecurity organizations remain understaffed and lacking the right skills. This issue will take some creativity to address due to the global cybersecurity skills shortage. Organizations should certainly hire top talent when possible, but also focus on technology integration and security process automation to streamline security operations. It is also worthwhile to review all cybersecurity processes and technologies and determine which tasks can be offloaded to MSSPs and cloud service providers like Dell SecureWorks, HP, IBM, Proofpoint, Symantec, and Zscaler as a means for freeing up security personnel without increasing risk. 

Obviously, enterprise security doesn’t compare to the national tragedy of 9/11/2001, but there are still lessons to be learned. As Spanish philosopher George Santayana presciently stated, “Those who fail to learn from history are doomed to repeat it.”   

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)