There are seven useful strands of military strategic thought useful for modern CISOs. The first is the importance of ensuring that CISO’s objectives are always tied to the larger business objectives. The second is that adversaries will respond dynamically and often in unexpected ways to every action taken by defenders and the third that a defender must understand and focus on the right center of gravity. The fourth suggests that an indirect approach is often more fruitful than charging straight into every problem and the fifth principle of flexibility and resiliency is most often needed to enable that indirect approach. The sixth lesson from military strategy is on the importance for a CISO to understand both their actual situation and that of their adversaries as accurately as possible and the final seventh lesson is on the importance of measurements and metrics.
The Strategic CISO: Learning from the Masters of War
The Chief Information Security Officer or CISO is a relatively new phenomenon. In medium and large firms they have gone from almost unheard of in the early 2000’s to very common in less than a decade. While a CISO’s role and scope of responsibility can vary from firm to firm, generally they are responsible for the defense of business and enterprise networks from attackers of all levels from unsophisticated attackers running tools or “script kiddies” up through nation state level attackers. The responsibilities of a typical CISO have also started to expand to cover not just Information Technology (IT) but also Operational Technology (OT) as the importance and vulnerability of those systems has become more broadly understood. CISOs most often come from an IT background as that is where the bulk of their responsibility has traditionally been. Because of their technological focus, CISOs are often admonished to be “strategic” instead of tactically focused on technology. But, what does it mean for a CISO to be strategic?
There are few words in the English language abused as often as “strategic.” Official definitions abound but for many people a “strategy” has become almost synonymous with a plan and is simply a concept of how something is to be accomplished. Military thinkers, on the other hand, have drawn a firm distinction between planning and strategy with strategy being more about the “why” and planning about the “how.” Is there something for CISOs in the thousands of years of carefully recorded thinking about military strategy that would apply to their business focused strategies?
Physical warfare can be thought of as analogous to attacks in cyberspace since in both cases humans in conflict are at the heart of the matter. Accordingly, there are useful strands of strategic thought that can be extracted from military strategy and repurposed to great effect by modern CISOs. Before pulling out specific strands of use to CISOs, it is worthwhile to briefly look at some well-known concepts of what strategy is, and how those concepts might apply to the problems faced by a CISO.
Academics who study strategy and warfare like nothing more than to endlessly debate the definition of strategy, however, for a CISO, I think that Colin Gray’s definition is the most useful when coupled with additional elements from J. C. Wylie. Gray’s definition of strategy is essentially that it is the, “bridge that connects the worlds of policy and military power.” Good strategy ensures that military force is applied in such a way as to further the political policy of the state. This almost seems so obvious as to not be worth saying unless you consider any number of historical examples where military operations took precedence over policy with disastrous results for the nations involved. When applied to a CISO, Gray’s definition can be modified to state that a strategic CISO should be the bridge that connects the two worlds of business objectives and cybersecurity. Security should serve and enable business objectives, never the other way around. Wylie adds one useful element missing from Gray’s definition when he adds that strategy should also include a systematic way to measure its success. Defining the goals, ensuring they are achievable and time bound while developing the metrics to achieve them is a critical, but too often overlooked, aspect of organizational leadership.
Establishing what are often referred to as SMART goals is an essential element. SMART goals are Specific, Measurable, Attainable, Reportable and Time bound. There are many benefits to specifying and defining strategic goals. Lower echelons of your organization are empowered to focus and organize their efforts to achieve the goals and prioritization becomes more achievable because the tradeoff decisions can be evaluated in terms of goal achievement. This is just as true of a CISO who should be able to determine if a given strategy is successful in supporting the business objectives and then have the ability to demonstrate that level of success to the leadership of the company.
While the basic concept of strategy is similar between modern business and traditional military strategy, is that as far as it goes? What can a long dead 19th century Prussian philosopher of war possibly have to say to a 21st century CISO that will be relevant and useful? Wherever people have fought, whether on land, sea, or air the heart of the matter has been humans in conflict who act, and react, in similar ways. As conflict has extended into space and cyberspace, that still appears to hold true. Carl von Clausewitz, the aforementioned 19th century Prussian, observed that war’s, “grammar, indeed, may be its own, but not its logic.” An interesting development in cyberspace is that unlike the other domains, private companies have thus far been expected to largely defend themselves in cyberspace, whereas in the physical domains a business was not expected to defend itself from hostile aircraft or tanks. Some similarity may be seen in merchant ships that were subject to attack, but in the modern era they were generally defended by military members put on board for that purpose.
In our systems of systems world, both national defense and private industry are arguably more codependent than ever before. Akin to the military protecting merchant vessels in WWII, civilian industries and transportation have become more dependent on systems that are vulnerable to cyber-attacks. Is there an emerging need to support and defend these vessels during times of high threat or known attacks? Or does private industry fend for themselves with the persistent cyber threats in the modern information age? Industry and military leaders are evaluating these questions and seeking the appropriate balance. The necessity of providing military protection to private industry was clearer in the industrial age such as the example of escorting merchant vessels in WWII, but the dependence of cyberspace challenges the historical approaches to these situations.
Military personnel don’t defend factories and businesses in cyberspace, and today CISOs face increasingly dangerous threats. While everyone was paying attention to the Sony hack, which did create a great deal of media publicity, a potentially far more groundbreaking cyber-attack took place in Germany. In December of 2014 cyber attackers caused “massive physical damage” to a German steel mill through a social engineering attack that then bridged across to production systems. These types of attacks cause physical damage similar to what aircraft bombs or dynamite from a saboteur would. The attacks on the Ukrainian power grid were another example of complex and high-level attacks where a business came under direct attack that had wide reaching physical effects. These attacks are only the beginning, as the importance of cyber-physical systems increases in the often mentioned term “Internet of Things,” the importance of attacks on those “things”, whether or not they are traditional IT also increases. If CISOs are going to have to defend their business systems, not just from cyber-criminals, but also against nation state level cyber attackers, what can be learned from the traditions of military strategy?
Lesson 1: Operations Must Support Policy
The first major lesson from the great strategic theorists is the importance of ensuring that operations always serve the larger policy purpose. This is already evident from the definition of strategy given above by Gray. Clausewitz famously stated that war is a, “continuation of policy with other means.” Security should be a continuation of business of objectives and security for its own sake makes no more sense to a business than battles fought with no connection to a the overall policy objective of a nation. Of course, the policy objectives of business generally revolve around profit, although long term profitability vice short term profit is normally a wiser objective. It may help the balance sheet in the short term to cheat on environmental regulations, but the hit on long term profitability when the cheating is discovered will normally be much larger than the short term boost. For the CISO, staying connected to business objectives often involves finding the right balance of security, functionality, and finance.
Finding the right level of security that protects the business, while enabling connectivity and the pursuit of business objectives is one of the most difficult challenges faced by a CISO. The default answer for most security professionals when confronted by a threat is “lock it down” but that is often unacceptable to functional business units trying to accomplish their tasks. Communication is risky, but it is also the whole point of most business systems. “Vulnerabilities” are often inherent in the design of systems whose purpose is communication and closing them down can have significant negative effects. Of course, CISOs can fail just as easily by leaving systems too open, finding the right balance and ways to be secure while still enabling business processes is the key.
Furthermore, every person with access to the network must become the equivalent of sentries who are trained to identify the threats and take immediate action to minimize them. Individuals must become trained to identify threats such as phishing as well as behavior that inadvertently introduce threats to systems. Sometimes plugging in a phone to the network with the intent only to charge the device could potentially introduce malware that could compromise critical systems. Strategic CISOs must ensure training and education are part of their plans. The first point of connecting tactical actions to business objectives is well understood but is important enough as to be worth repeating anyway, unfortunately the next lesson from the strategic masters is far less widely understood.
Lesson 2: Action and Reaction
CISOs should never forget that they contest continually with active and maneuvering enemies who will react to every move and countermove. It is a well-known military truism that, “the enemy gets a vote” which is to say that the enemy will react to whatever a combatant does, often in unexpected ways. Clausewitz said this more elegantly when he compared war between nations to a wrestling match with each wrestler constantly reacting to what the other wrestler is doing in a continuous interaction. Edward Luttwak takes this concept even further and states that the entire realm of strategy is driven by this interaction which generates a paradoxical logic where combatants often get the opposite of whatever they are seeking due to the enemy’s response.
Further, once malicious code is released and detected, the defended organization will likely remediate the threat quickly. After an attack is detected, the defender can perform forensics on the malicious code and then modify their own systems as required to counter it. Once the attacker determines that they have been detected, they will respond by changing the nature of their attack. This maneuver dynamic makes responding to a cyber-attacker very different from responding to a natural disaster. An earthquake or hurricane may do tremendous damage, but it isn’t trying to defeat your defenses, it just is what it is and would be the same if your facility happened to be in the way or not. Natural disasters are mitigated through good risk management and engineering, but some of that methodology breaks down with cyber attackers. The odds of a hurricane striking a particular area can be well modeled using probabilistic methods, not so for a cyber-attacker who is responding to incentives and countering what the defender is doing. Closely monitoring an incoming hurricane does nothing to change its trajectory, closely monitoring your IP space and attackers trying to get in, will change a cyber-attacker’s trajectory.
Vulnerabilities in IT systems represent opportunities for the enemy to inflict their desired effects on your systems. Both hardware and software added or altered in your system environment introduces additional potential vulnerabilities. Routine updates to your software as well as adding even simple devices such as mice, keyboards, printers etc., all add potential new security weaknesses that attackers can exploit. There are also always “zero day” or unknown vulnerabilities that exist in every system. The number of potential vulnerabilities in just IT systems is overwhelming, when you consider Operational Technology (OT) systems such as water treatment, electrical power generation, or production systems, the enormity of the problem becomes hard to even grasp. The bottom line is that a determined and competent attacker will eventually be able to find an opportunity to enter and create their desired effects.
Enemy forces will be able to maneuver and evaluate opportunities, but CISOs should never forget that they can maneuver as well. Because modern cyber maneuver represent largely keystrokes versus large personnel and equipment movement, attackers are agile in their ability to quickly probe and pursue targets. CISOs need to be able to respond quickly by monitoring their systems to detect and react to intruders in real time. Attackers use automated systems to rapidly search for vulnerabilities, defenders can use automated detection systems to determine that scanning is underway and dynamically adjust their environment to confound scanning. A continuing issue is that many organizations do not establish software lifecycle programs to deal with software that is no longer supported. Most of these systems’ vulnerabilities are no longer patched which makes them static targets that can no longer easily maneuver which often leaves these systems open to easy compromise. Because threats are so dynamic, CISOs have to be very agile and dynamic as well.
Lesson 3: Identify the Correct Center of Gravity
The next major lesson from classical military theorists for a modern CISO is the importance of focusing on the correct center of gravity. In cyberspace terms, this center of gravity is also often referred to as cyberspace key terrain. There are many thousands of devices on any medium sized network, which ones does a CISO pay attention to first? There are always limited resources so prioritization is a key question for any CISO. Clausewitz identified the center of gravity as the, “hub of all power and movement” which is notoriously difficult to understand and apply to a practical situation. For a CISO, their center of gravity should encompass only the most critical business systems and what those systems are will depend on the nature of the business and the strategy of the firm. As a simple example, for a bank, e-mail servers are presumably of far less importance to the survival of the bank than the systems that transfer money. For a major manufacturing firm the cyber key terrain might be the computer systems controlling manufacturing.
There are several key characteristics of cyber key terrain that are worth exploring. One factor is that cyber key terrain can change very quickly. Gregory Rattray identified that the geography of cyberspace is extremely mutable and the cyberspace equivalents of mountains and oceans can be shifted, deleted, or inserted with the flick of a switch. However, cyberspace is not endlessly mutable as it is tied to the physical world. The physical devices that create cyberspace matter, and defending them is a critical element of an effective defense in depth. Many a CISO has learned this the hard way when an attacker gains physical access to inadequately protected hardware or someone with a backhoe digging a trench accidentally takes down a critical data center.
Both the physical and virtual portions of cyberspace matter and should be mapped to a comprehensive enterprise architecture if it is going to be defended properly. A good enterprise architecture is the first step, but if a CISO is going to identify what is truly critical, they will have to also do a mission analysis of what elements are most important to the organization. There are numerous methodologies that enable this type of analysis available from numerous organizations and it is hard work to sort out, but absolutely imperative if a CISO is going to understand their center of gravity and cyber key terrain.
Lesson 4: Use an Indirect Approach
The fourth major lesson for CISOs from the world of military strategy is not to take on every challenge head on. Often a more indirect approach that comes at a problem from the side is far more effective and less costly. In military terms, often that maneuver is literally to the side as in a flanking maneuver that goes around a strong enemy defense to attack from a much weaker point at the side or rear. One of the strongest proponents of this approach was Sir Basil Liddell Hart who wrote at great length about the indirect approach and also emphasized the psychological versus just the physical element of coming at the enemy in an unexpected way. A CISO will not normally be physically moving to the side of an attacker, but can surprise them by having unexpected defenses or monitoring in place.
The Chinese strategist Sun Tzu placed a heavy emphasis on trying to deceive your foes to bait and lure them. A modern CISO can accomplish much the same with honey nets, virtualization, and software defined networking among other techniques. It does take more than technology; to deceive an attacker, a defender must understand what the defender expects to see and feed those expectations. If an attacker is occupied by attacking systems that are not really there, it is relatively easy to understand and contain them.
A CISO can also do more than build honey nets, a CISO controls the physical hardware and architecture and so can deliberately create a geography and environment hostile to attackers. Miyamoto Musashi, a famous Japanese Samurai, advised that a warrior should strive to force the enemy into inconvenient situations. A CISO can accomplish this in cyberspace by architecting business systems so they allow necessary business functions while making life extremely difficult for attackers, even once they penetrate the outer defenses. There are many promising technologies and approaches on the horizon that can accomplish this from a technical perspective.
Lesson 5: Flexibility and Resiliency Often Bring Success
A fifth major lesson for CISOs from military strategy is the importance of flexibility and resiliency. Flexible forces are required if a CISO is going to be able to respond dynamically to an attacker much like a defender on the ground in a combat situation must be able to rapidly shift forces from point to point to respond to different enemy probes and attacks. Sun Tzu went so far as to state that a commander should have normal and exceptional forces that can change roles in the middle of a battle from fixing an enemy force to maneuvering and vice versa. For a CISO this could involve personnel who can transition to different roles as crises and attacks develop.
Critical systems must be evolved and developed to “know” when they are in a secure state, and when they are not. This is being done today by establishing a baseline for the system that is monitored and alerts when the state is altered. By building a dynamic ability to perform root cause analysis of what has caused the deviation, systems will be able to potentially suspend activities for a time and return itself to the secure baseline. The result of the analysis would be fed to an intelligence center for analysis and subsequent action for other systems if required.
Lesson 6: Know Your Enemy and Know Yourself
The sixth thing that a CISO can learn from military strategy is the importance of intelligence. Sun Tzu focused extensively on intelligence and famously stated that if you, “Know the enemy and know yourself; in a hundred battles you will never be in peril.” For a CISO, knowing yourself starts with enterprise architecture and mission analysis, knowing the enemy involves staying up to date on what the threats to the organization are doing. Most CISOs do not have the resources to engage in serious intelligence work so this is an area where hiring this role out to one of the firms that specializes in this work can be very helpful. CISO’s should not just care about what is being said on the dark web about who is thinking about attacking who, but should seek out the latest technical based intelligence and profiles that may not have made it into commercial signature based scanners yet.
Dynamic cyber intelligence collection has become paramount. Microsoft has adopted this concept and receives notifications from their operating systems when they detect new potential threats. Defense and intelligence organizations should develop a joint center with partnerships of private companies to protect the critical systems and government policy is clearly headed in this direction. Strategic CISOs across various organizations should partner to build a security council and sponsor joint capabilities where that makes sense for their business. Most organizations agree that you must understand your threat. With the cyber threat becoming so dynamic and persistent, more partnership to collect the threat and intelligence data is important and becoming more so every day. The cyber intelligence center would both collect and disseminate information to trusted organizations with a need to know to include private industry. Both software and hardware manufacturers would be potential recipients of some of the collective intelligence.
Lesson 7: You get what you Measure so Choose Wisely
A final major lesson from military strategy is the importance of measurement and assessment; without it a combatant or CISO has no idea if what they are doing is moving them closer to their desired end state. J.C. Wylie rightly tied measurement to the heart of strategy and included a system of measures at its center. It is discouraging to see how many organizations do not even routinely count and track the number of patches that have not been applied and report the results to senior management. These are very easy and basic measurements readily available to any CISO, but they are not necessarily the best measurements available.
Metrics should always link back to the business mission and the easiest things to measure may not be the most important things. It has long been understood that measurement influences behavior and in business. Just as in quantum physics, the presence of an observer will alter reality. If the key security metric reported to management is the percentage of systems that are fully patched, an organization may have very well patched systems, but are they secure? And what does “secure” mean anyway within the context of the business mission and objectives? The U.S. military tries to address these issues by having two different types of metrics, Measures of Performance (MOP) and Measures of Effectiveness (MOE). An MOP measures how well a task is being accomplished while an MOE measures how close the organization is to its desired objectives. An example of a MOP might be the percentage of IT systems that are fully patched, while an MOE might be how well protected the company’s Intellectual Property (IP) is. MOP tend to be much more specific and under the control of the CISO while MOE are harder to measure but are the measurements that really matter. Good MOP’s will contribute to MOE’s but it is always tempting for CISOs to measure the things that are easy to measure vice the important things. Patching systems is a good thing, but does not guarantee that IP is protected, numerous other things will need to be done as well. The mission analysis done to identify cyber key terrain will help guide the development of meaningful MOEs that can help a CISO understand how well they are doing in a similar way to military strategists.
There are seven useful strands of strategic thought that can be extracted from military strategy and repurposed to great effect by modern CISOs. That there are so many useful lessons applicable to CISOs should not be that surprising; cyberspace attacks on businesses are similar to physical warfare because in both cases humans in conflict are at the heart of the matter and this human dynamic has great impact. The first lesson that CISOs can pull from the strategic theorists is the importance of ensuring that their objectives are always tied to the larger business objectives and that security for its own sake should never be pursued. The second lesson is that the adversaries attempting to attack or disrupt business systems will respond dynamically and often in unexpected ways to every action taken by defenders. This dynamic maneuvering is available to defenders as well who need to be agile and responsive while defending the most important cyber terrain that should be identified via the third lesson that a defender must understand and focus on the right center of gravity. The fourth lesson suggests that an indirect approach is often more fruitful than charging straight into every problem and the fifth principle of flexibility and resiliency is most often needed to enable that indirect approach. The sixth lesson from military strategy is on the importance for a CISO to understand both their actual situation and that of their adversaries as accurately as possible and the final seventh lesson is on the importance of measurements and metrics. An organization will normally get more of whatever it values and measures so it is critical that a CISO measure the right things that lead to the desired objectives and end state. All of these seven principles and lessons can help a CISO be more effective in the fast moving and technologically grounded world of today’s organizations, and when the principles are combined, the synergy amongst them is even more powerful.
 Todd Fitzgerald and Micki Drause, ed. “What You Told Us: A CISO Survey” in CISO Leadership: Essential Principles for Success, (Amazon: Auerbach Publications, 2008), 3.
 William D. Bryant, International Conflict and Cyberspace Superiority: Theory and Practice (London: Routledge, 2015), 208-210.
 A good definition of OT is, “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.” Gartner, “Operational Technology (OT)” Gartner, http://www.gartner.com/it-glossary/operational-technology-ot.
 The top definition from Merriam-Webster is, “of or relating to a general plan that is created to achieve a goal in war, politics, etc., usually over a long period of time.” Merriam-Webster Dictionary, “strategic” Merriam-Webster, Incorporated. http://www.merriam-webster.com/dictionary/strategic. That type of definition is very broad and not very specific.
 Colin S. Gray, Fighting Talk: Forty Maxims on War, Peace, and Strategy (London: Praeger Security International, 2009), 48.
 Carl von Clausewitz, On War, ed. and trans. by Michael Howard and Peter Paret (Princeton, NJ: Princeton University Press, 1976), 579.
 A classic example can be seen in Germany’s performance in World War II. Throughout the war, German tactical and operational art was generally very good, but it was coupled with strategic blunders such as attacking Russia while England was still fighting that made it nearly impossible for them to win. Another example of a brilliant operational success that produced strategic failure was the Japanese attack on Pearl Harbor, where the very success of the attack doomed Japan to strategic failure as it hardened the resolve of the United States and made it impossible to achieve the negotiated settlement that was the Japanese policy objective.
 J. C. Wylie, Military Strategy: A General Theory of Power Control (New Brunswick, N.J.: Rutgers University Press, 1967), 13.
 Jacob Gudger, SMART Goals: The Ultimate Goal Setting Guide, Kindle Edition, 2011, 14-30.
 Clausewitz, On War, 605.
 Paul Rosenzweig, Cyber Warfare: How Conflicts in Cyberspace are Challenging America and Changing the World (Santa Barbara, CA: Praeger, 2013), Kindle Location 3660.
 Robert M. Lee, Michael J. Assante and Tim Conway, German Steel Mill Cyber Attack, SANS ICS Defense Use Case (Washington D.C.: SANS, 30 December 2014,) 1.
 Robert M. Lee, Michael J. Assante and Tim Conway, Analysis of the Cyber Attack on the Ukrainian Power Grid, SANS TLP: White Report (Washington D.C.: SANS, 2016,) 20.
 Gray, Fighting Talk, 48.
 Clausewitz, 69.
 Majory S.Blumenthal and David D. Clark, “The Future of the Internet and Cyberpower.” In Cyberpower and National Security, edited by Franklin D. Kramer, Stuart H. Starr and Larry K. Wentz, 206-240. (Washington, DC: Potomac Books, 2009), 229.
 Rosenzweig, Kindle location 441.
 Clausewitz, 75.
 Edward N. Luttwak, Strategy: The Logic of War and Peace (Cambridge, MA: Belknap Press, 2003), 2.
 Clausewitz, 595.
 Gregory J. Rattray, “An Environmental Approach to Understanding Cyberpower.” In Cyberpower and National Security, edited by Franklin D. Kramer, Stuart H. Starr and Larry K. Wentz, 253-274. (Washington, DC: Potomac Books, 2009), 256.
 Martin C. Libicki, Conquest in Cyberspace: National Security and Information Warfare (Cambridge: Cambridge University Press, 2007), 66.
 B. H. Liddell Hart, Strategy 2nd ed., (New York: Penguin Books, 1967), 5.
 Sun Tzu. The Art of War Trans by Samuel B. Griffith with Forward by B. H. Liddell Hart. (Oxford University Press: Oxford, 1971), 66.
 Gray, 35.
 Miyamoto Musashi, The Book of Five Rings (Start Publishing LLC: Amazon Kindle, 2012), Kindle Location 797.
 Sun Tzu, 91.
 Sun Tzu, 83.
 Department of Defense, Joint Publication 5-0, 11 August 2011, D-3.