No one wants war, and no one wants a constant war. But that’s what CISOs face every day: a war against the enterprise prosecuted by nameless and faceless adversaries — every second, every minute, every day. Multiple groups launch relentless attacks from multiple locations. So, how do we change the game?
An acquaintance of mine retired after serving in various CIA positions, including the head of the directorate of science and technology. He had an insight he used to give his team to challenge their thinking about solving a particularly tough problem:
“If the rules of the game aren’t working for you, don’t change the rules. Change the game.”
If our adversaries don’t play by the rules, why should we? I’m not talking about breaking the law or violating rules and regulations governing an industry. I’m talking about outthinking and outfoxing attackers and conducting the proper after-action review when things don’t go right.
Some new terminology (for those not previously affiliated with intelligence or military operations) is needed to reshape our view of the current situation. First, we have to understand how decisions are made and how to increase the speed and precision of the decision-making loop.
During World War II, the British lost millions of tons of food, fuel, and munitions to German U-boat wolfpacks. The losses threatened to cripple the war effort. Something had to change. Traditional approaches weren’t yielding anything the Royal Navy could use to counter the deadly attacks.
That changed when a retired naval officer turned game designer was brought in. He was augmented with Wrens — young ladies who were Women’s Royal Naval Service members. Could a retired naval officer and a bunch of twentysomethings with absolutely no experience in naval tactics solve a massive problem? Sounds crazy, right?
Wrong.
A series of war games exposed flaws in U-boat tactics and from what they learned in the models, the Wrens were able to propose countermeasures. The Wrens weren’t saddled with the baggage of traditional tactics. They changed the game, which changed naval tactics for the rest of the war and inflicted serious damage and unsustainable losses to the German U-boats.
The Korean War exposed another weakness in tactics. The Mig-15 was superior to the F-86 flown by the U.S. Air Force. Losses were mounting. Colonel John Boyd changed the game. He didn’t teach tactics to attack enemy planes. He developed tactics to attack the minds of the pilots of the enemy planes. Colonel Boyd developed the Observation-Orientation-Decision-Action OODA loop to increase the speed and precision of decision-making. It revolutionized air-to-air combat by improving a fighter pilot’s ability to get inside his adversary’s decision-making loop.
Today, the OODA Loop gets applied to all facets of battle. A change in how the game was played resulted in a ten-to-one kill ratio over the Migs. The OODA Loop taught pilots that superior tactics could beat superior planes.
Fast forward to Vietnam.
By now, almost everyone has either seen or heard of the movies Top Gun and Top Gun: Maverick. The inspiration for the real Top Gun was born out of the unacceptable losses in air-to-air combat, even though the F-4 Phantom was the most advanced and technologically superior aircraft of the time.
In 1969, TOPGUN — Navy Fighter Weapons School — did more than teach new tactics. It also trained new instructors who took the lessons of TOPGUN back to their squadrons. TOPGUN embedded the tenets of the OODA Loop into their lessons, a concept that remains in place today.
The U.S. Army struggled to define the lessons from battle and improve future performance. Initially, this review began with training but progressed to actual battlefield engagements. The After-Action Review (AAR) has become a core component of all organizations within the military that focuses on four core questions:
- What was planned?
- What happened?
- Why did things happen the way they did?
- What do we need to modify before the next event?
AARs are generally conducted verbally with the team in either a formal or informal manner. Over a period of time, multiple AARs deliver organizational insights that ad-hoc methods or meetings can’t discover.
Let’s round all of this out with a lesson from the intelligence community. The CIA makes it its business to analyze information and produce intelligence. The process has been well-defined and achieves tremendous results when it’s applied rigorously.
The five steps are: planning and direction, collection, processing, analysis and production, and dissemination. I always add a step at the beginning called requirements. Defining what the team needs to accomplish allows the planning process to start with specificity.
Here's a quick checklist on how modern-day CISOs can apply all these lessons to IT security operations:
- Change the game: Quit looking at attacks and events through the same lens as before. Unconstrained thinking and novel approaches can inform serendipitous discoveries.
- Teach the OODA loop: Make decisions faster than the adversaries and attack how they think about the problem.
- Create a TOPGUN school: Identify leaders, give them the tools and tactics to go back to their business units and organizations, and spread the knowledge.
- Conduct an AAR when an engagement occurs: CISOs can use an AAR for something as serious as a breach or a failure to detect a potential compromise. It can also be an action taken that resulted in an unwanted outcome.
- Don’t fight fair: Use every available tool to automate responses (like AI) and stay focused on high-value activities. Think about creating an autonomous SOC. Overwhelm the adversary, get inside their OODA loop, and make them react to how the team operates. Attack their minds.
CISOs are the battlefield commanders. It’s time to use every tool available in the constant fight to defend and protect the company’s assets.
Morgan Wright, chief security advisor, SentinelOne
