The Battlefield is Everywhere
Cybersecurity warfare transcends all traditional boundaries. As such, it is a war that requires all means of defense to be channeled toward readiness. In an age when information is omnipresent, the battlefield, while everywhere, is the organization’s operating environment.
Cybersecurity is the mission-focused and risk-optimized governance of information, which maximizes confidentiality, integrity and availability using a balanced mix of people, policy and technology while potentially improving over time.”Mansur Hasib
Maintaining that mission focus is crucial if you are to thwart the efforts of the adversary. Cybercriminals look to leverage times of uncertainty and extremely abrupt change (i.e., COVID-19) to exploit weaknesses in defenses that existed before the abrupt change but are not being given the same attention they were previously receiving.
Breaking the Will of the Adversary
The primary target in any cyber defense situation is the mind of the adversary. In fact, in my fifteen-plus years of involvement in cybersecurity, the advice that has been consistently offered to organizations has been to design a defense that would break the will of the adversary to continue their attack! Will is defined as diligent purposefulness, determination, self-control, and self-discipline. Both competitors then, in a cybersecurity situation, begin with some level of will to win.
The chaos, uncertainty, and doubt commonly prevalent in a stressful situation, such as a cyberattack, will affect the decisions of both parties. As such, having the correct mindset as an individual and/or team is crucial to success. A trained mindset has the ability to gain a better perspective on the current situation and increases one’s confidence to execute. Accordingly, the opponent who makes decisions in a timely and appropriate manner most often wins.
Mastery of the Mind
Mastery of the mind is mandatory to maintain the will that makes the difference in any stressful situation.
The mind is like water, when it is turbulent, it is difficult to see. When it is calm, everything becomes clear.” Sun Tzu, The Art of War
Calming the mind is accomplished through mastering the emotions that impact the mind and the decisions that follow. Such mastery can only be achieved through training explicitly designed to develop, hone, and expand the mental toughness of the individual and the team. The organization must collectively train to control the emotions created by the situation or they will lose every time.
Being a warrior is not about the act of fighting, it’s about being prepared to face a challenge and believing so strongly in the cause you are fighting for that you refuse to quit.”Richard Machowicz; Navy Seal; Host of Discovery Channel “Future Weapons”
Warrior Mindset Curriculum
If behavior is a learned skill, then the curriculum from which to teach the desired security behavior is a Warrior Mindset curriculum. In its most restrictive sense, a warrior mindset refers to the mental tenacity and attitude that leaders and employees are taught to adopt in the face of adversity that threatens the viability of the organization. In this context, it is a bone-deep commitment to survive a bad situation no matter the odds or difficulty. It is more than aggressiveness and determination; it’s about overcoming challenges.
A corporate warrior mindset accepts that in a crisis, a person or team does not rise to the level of the organization’s expectations, they fall to the level of their training.
To raise that level, training needs to be uncomfortable, always pushing the individual and the team to meet tougher challenges, acquire more demanding skills, make harder decisions, and build confidence and competence where any trace of uncertainty and mediocrity exists. Too often organizations tend to train in their comfort zone which leads to a false sense of confidence in their ability to respond to and defend the organization against a cyberattack. Training should be viewed as an insurance policy. You may hate paying the premiums, but when you need it you want the best coverage there is.
In any cybersecurity response, making decisions and acting faster than the adversary forces them into a constant state of reaction. The ability to make decisions and take action in this manner is known as tempo. The aim of tempo is to plan and initiate the next action while the adversary is still observing and reacting to the previous move. Often, it is through tempo that the adversary’s will is broken.
In any conflict, relative decision-making speed is a key determinant of success. The ability to act in this manner is a by-product of the training to develop a warrior mindset. Simultaneously, such training fosters the understanding that, in real-world situations, time to formulate complete plans will not be available.
In the doctrine of maneuver warfare, the first of the seven principles is to target critical vulnerabilities. An element of this principle is the creation of training scenarios for the purpose of mitigating the risk related to a critical vulnerability and preparing, in the event of a targeted attack by a cybercriminal on that vulnerability, a quick response. To that latter point, the response time to a simulated attack should be unrealistically short in order to place increased pressure on the team. The purpose of having these unrealistically short times is to further develop the ability to think several steps ahead of the adversary. Additionally, if a mistake in decision-making occurs in training there are no consequences beyond the embarrassment of making the poor decision.
The After-Action Critique
Perhaps the best opportunity to learn and improve is during the after-action critique that is part of the warrior mindset training following a test scenario. After-action reviews were originally developed in the military but, their use has extended to business as a knowledge management tool and a way to build a culture of accountability. Critical lessons and knowledge are transferred immediately in order to get the most benefit from the exercise. It is recommended that a journal be kept regarding what was successful, what could be improved, and what failed. In doing so, a running log of metrics is built that creates an objective evaluation of performance.
This critique must be approached in a manner that conforms to the warrior mindset mantra of continuously seeking improvement. Ego can get in the way of self-improvement if it is allowed to be a part of the after-action review. Therefore, egos must be left at the door with the understanding that any criticism is made with the intent of learning and lessening the possibility of repeating a decision determined to be a mistake.
True warriors put ego aside and make the principles of tactical thinking a lifestyle. They understand that hope is not a strategy and luck is not a skill. They not only recognize that they can be better, they take action to make it happen.
A Brief Caution
As a caution, don’t let a good end result justify the means by which you got there. There is always room for improvement. Be proactive about remedying shortcomings. Don’t just leave it to fate, because fate has a way of pointing out our deficiencies when it’s too late.
Some tips for improving the warrior mindset are:
- Mental dedication – Get a personal journal and record every aspect of your journey to improve. If each individual does this for their own improvement, and the security leader does it for the team, focus on the security mission will not waiver and performance will continually improve.
- Isolate strengths and weaknesses. Identify strengths and continue to develop them. Perhaps more importantly, admit weaknesses and commit to a dedicated practice that takes you out of your comfort zone as you work to lessen the weakness.
- Develop self-discipline. As the warrior mindset develops, self-discipline won’t be the problem it may be in the beginning. To lessen the difficulty in the beginning and to maintain it going forward, partner with team members to hold each other accountable. Another benefit of such aligning is the trust built from the experience and a greater understanding of the other’s responsibilities related to the security mission.