“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Chris Pogue, CISO at Nuix thinks that 2,500 year old piece of wisdom from legendary chinese military theorist and general, Sun Tzu has more to do with modern information security than you might expect. Security is after all a battlefield: strategies must be drawn out in detail, defences actively assessed and enemies conquered.
Notions like OPFOR, training against dummy enemies to establish your own weak points, translate almost seamlessly into red teaming or penetration testing, a well worn device of the security industry.
You're really doing the same sorts of things you would do in the military, says Pogue, “with just a different set of information.” The job of information security, Pogue maintains, runs in close parallel to that of a combat soldier.
Pogue enlisted in 1996 and went into the field artillery. While it was fun, as he puts it, “making things go boom”, it was a decision that would point him towards his current position (as the CISO of Nuix where he's helped train thousands of federal agents in cyber-investigations.)
Chris Pogue getting pinned as a Warrant Officer
Through the army, Pogue got the chance to study at Carnegie Mellon University's Software Engineering Institute and achieved the rank of warrant officer, specialising in what was then known as computer network defence and computer network attack.
By then Pogue had spent over a decade in the army and was looking towards starting a family. His mind set to how he might apply those skills to the private sector.
It wasn't a hard mental leap from the army into IBM says Pogue. In both cases, “you have a clear adversary who has goals contradictory to your own - you have to defend and evolve as they evolve”.
To see the blindspots that a civilian CISO might be encumbered with, says Pogue, “google the word ‘data breach'.”
Checkbox regulation like Governance Risk Compliance Regimes, for example: “nowhere is that found in military doctrine. Ever.” While a civilian might list off the tasks required by law to secure his or her company's data, they might not “quite get that that is one of the starting blocks”.
That checkbox exercise, “doesn't include all the active components that you need to engage in to have the intended impact; things like active training, conducting real world OPFOR exercises. Not only are they going undone - they seem novel.”
Concepts employed in information security, will be familiar for those who have spent time in the military. CISOs will often use tactics similar to the ones “we use for establishing a perimeter, for defending the perimeter, for having multiple layers of defence”.
Active defence, for example is, defined by the US Department of Defence as "The employment of limited offensive action and counterattacks to deny a contested area or position to the enemy." The definition might seem familiar.
The tactic, taught to combat soldiers, is increasingly being adopted by information security professionals, in the form of techniques such as honeypotting, as a way to hinder and obfuscate the clear line of an adversary's attack.
In the forces, "you live security day in, day out", says David Venable, vice president of cyber-security strategy at Masergy, and a six-year veteran of the US Air Force and the National Security Agency. "It becomes ingrained in you to be thinking about opsec (operational security).” When deploying an operation, “one of the big rules is that you never say where and when on the phone. Even little things like that become ingrained in you and it alters your perception of the world".
Broadly, says Venable, it creates a mindset on which you can easily build an infosecurity career.
Much of the understanding that benefits an information security role, said Brett Wahlin, an independent cyber-security professional and former CISO at Hewlett Packard Enterprise, “you gain from from the military doctrine that is instilled no matter what role you actually take in the military.”
Specialisation adds to that understanding. Wahlin spent several years as a counter-intelligence agent in the US military. He signed up in 1987, and underwent just over a year of training in, as he puts it, “the art of finding a spy”.
Back then, they did things on a whiteboard, but the principle was the same. They “were looking for patterns; were looking for behaviours; were looking for things that are abnormal”. Now,“we're doing them at machine speeds”
As the Berlin wall came down, cyber-security had yet to really become a sector but Wahlin found himself looking towards a career in technology. He started out in networking, and helped build some of the early ISPs.
In the days before companies like eBay, “it became pretty apparent, just based on my training, how wide open ecommerce would be.”
He was drawn back towards security and in a roundabout way, he returned to many of the skills he had picked up in the military.
He continues to rely on military experience in others and former military people tend to make up a good deal of the teams he works with.
Loyalty and respect for rank are valuable characteristics on security teams, but people sometimes need some reminding that they've left the military: “corporate cultures are often very different and I find that for a lot of people who transition out of the service, that's a shock to them”.
There are, says Ewan Lawson, senior fellow for military influence at the Royal United Services Institute, many different kinds of military man: "depending on how people are being channelled, there is no one military officer".
There is a world of difference between ranks, for example. While some are valued for their ability to lead people into dangerous situations,others need to think strategically. Military command positions especially, “require you to be less consensual than the commercial sector”, says Lawson, and senior officers can chafe under the more fluid nature culture of the private sector.
Much like Wahlin, Lawson says that specialisation is often important: “The military has a very good educational system set up to train people”. The rigorous levels of education and specialisation within the armed forces often furnish people with the skills that benefit both them and their infosecurity roles.
There seem to be, says Lawson, a disproportionate amount of veterans of his old post, the RAF police, going into information security roles “because RAF police are responsible for computer security in the air force and in some ways led the three services in development of some of the skills”.
Lawson went into the Royal Air Force in 1988 as an RAF policeman, a role which deals heavily in network and computer security. In 2002 he went on to the UK advanced command and staff course and has since held a variety of roles including as commanding officer of the UK psychological operations group and within the Joint Forces Command, developing cyber-warfare capabilities.
“I would not buy the idea that the answer to all the world's problems is recruiting a load of military”, adds Lawson. Military experience can give people a great wealth of experience in strategy and dealing with complex problems. There is, however, a tendency in the private sector to think "former senior military must be bright and insightful and instantly relate that to employability".
Vince Warrington, founder of Protective Intelligence Ltd and cyber-lead at the Financial Conduct Authority is sceptical: “I wouldn't say they make better security people per se, but they do have a different perspective.”
Military-trained information security professionals tend to have a better initial understanding of the concepts that are native to security and may even hold data in a more sacred position than a civilian counterpart.
There are areas where a military background might be a hindrance. While a civilian CISO might be able to draw from the experience of a wide range of sectors and backgrounds, a long term military officer may find that his or her thinking is all too siloed.
In reality, said Warrington, “I don't think background really makes that much difference. CISOs should really be about strategy, governance and culture more than anything else, and I know of excellent CISOs from both civilian and military backgrounds.
When President Obama called cyber-space the fifth dimension of warfare in 2010, “none of us were really surprised”, says Pogue.
It's the kind of mindset that may well have become increasingly relevant since the advent of APT groups. In an industry that's dominated by non-combatants, “we're relying on the majority of civilians to fight the next generation of warfare with really no idea what they're doing”.
Pogue, camouflaged before a training mission
The fact is, says Pogue, civilian organisations are conscripted into international conflicts whether they know it or not. The security team at any large bank is likely fighting the agents of a foreign power ever day, “whether that's the Chinese, or the Russians or the North Koreans, that's irrelevant, civilians are going toe-to-toe with trained military combatants and that's the same everywhere.”“Thats where I think this becomes important for the modern CISO to have that background”, says Pogue. “I was trained to win conflict.”