Cybersecurity needs both psychologists and field marshals

Many cybersecurity professionals like military analogies. Indeed, some security pros are ex-military. But after a recent security exercise involving IBM’s new lorry-mounted SOC (security operations centre), I found myself wondering just how apt those analogies really are.

For example, there’s the popular statement that is frequently misquoted as “No battle plan survives contact with the enemy.” What its author, the 19th century German field marshal and strategist, Moltke the Elder, actually said* translates as it won’t “go with certainty past first contact with the enemy’s main strength.” His thesis was not that battle plans were pointless, but that commanders should establish flexible operational frameworks, giving stated intentions rather than detailed orders.

Cybersecurity versus the big battalions

So it is – or should be – with cybersecurity. When problems arrive one by one, they can be triaged, assigned and dealt with, like an army dealing with skirmishers and probing attacks. But when a major incident occurs, that’s when the fertiliser hits the fan. The enemy’s main battle tanks have arrived en masse, and you are about to find out which of your lieutenants can think on their feet.

All this seems obvious to us today in a military context – individual leaders are expected to use their initiative and judgement to get the job done within their commander’s overall framework. And yet, while it’s standard for modern militaries, anyone who has had the misfortune to work for a micro-manager will know how firmly it is ignored in much of civilian life.

So, back to the IBM lorry. Called the X-Force Command Cyber Tactical Operation Centre (CTOC), it’s designed for multiple roles. The primary one is training exercises for cybersecurity incident response teams, but it can also be used as a mobile SOC for special events – think of IBM’s Wimbledon sponsorship, for instance – and for educational outreach.

An obvious target for the latter is schools and colleges, to interest and inspire the next generation of security professionals, but it’s more than that. Outreach can also be to anyone from journalists and industry analysts to a company’s board members – the board of course being where the data protection buck ultimately stops.

It’s a fantastic set-up inside the X-Force CTOC lorry, with its expanding sides that open into a good-sized room. As well as the fully-equipped desks of the SOC itself, there’s huge screens on the walls to throw up events and chart the progress of the ‘incident’, plus a computer room, satellite connectivity and a generator make it all independent of the grid.

During an exercise, IBM’s backstage trainers phone in and send messages, playing the roles of end users, anxious customers, TV reporters and more. But while this all is usually referred to as training, this is where military analogies might lead us astray. What civilians picture is soldiers practising combat skills and small-unit tactics, but in reality – and in cybersecurity – that’s only part of the story.

The psychology of stressed teams is fundamental

A far bigger part is the psychology element. Firstly, it’s getting used to thinking on your feet and taking the initiative, as old Moltke might have said. But it’s also testing how your people – both individually, and more importantly as a team – respond to stress. Do they remember the framework or do they panic? Do they co-operate with colleagues or retreat inwards, ignoring the ringing phones? Do their assignments match their individual strengths and weaknesses? And of course, does the organisation’s draft response plan actually help or hinder?

The psychology of stressed teams is fundamental to an organisation’s response to a breach or other incident. So not only is it absolutely essential to invest in adequate incident response training for your team, it must be more than just tech skills – you need to test and stress them as a team too. Only then will you find out not just how their training benefits everyday business operations, but how it works in the heat of a cyberattack.

 

*In the original: “Kein Operationsplan reicht mit einiger Sicherheit über das erste Zusammentreffen mit der feindlichen Hauptmacht hinaus.”