Risk Management & InfoSec Operational Combatants – The Leviathan Force & the SysAdmins…the Real Art of War.
No, this is not some enlightened pithy post heaping praise on a dead Chinese military strategist. Nothing against his Tzu-ness, but I’m just plain tired of this overplayed guidepost for engaging in InfoSec warfare. For God’s sake, I own an iPod. I’m, like, so enlightened, sophisticated and refined. Sun Tzu is so last Wednesday! The closest I come to Chinese philosophy is whether or not to order the Kung Pao chicken or the Pork Lo Mein. Just to get that out of the way…
If you haven’t seen Thomas P.M. Barnett’s talk "The Pentagon’s New Map for War and Peace" from the 2005 TED, you should definitely click here and do so. Barnett is a brilliant and witty international security strategist who offers a unique contrarian perspective on the post-Cold War US military complex that differs quite drastically from the typical long range strategic planners squatting in the Pentagon:
"In this bracingly honest and funny talk, international security strategist Thomas P.M. Barnett outlines a post-Cold War solution for the foundering US military: Break
it in two. He suggests the military re-form into two groups: a
Leviathan force, a small group of young and fierce soldiers capable of
swift and immediate victories; and an internationally supported network
of System Administrators, an older, wiser, more diverse organization
that actually has the diplomacy and power it takes to build and
maintain peace."
What I find amazingly serendipitous about the timing of when I watched Barnett’s presentation is that it rang true with a theme I was mulling on which draws remarkable and absolute parallels to the state and needed resuscitation of how we practically organize the Risk Management and Information Security "combatant" fighting forces in the front lines of corporate America today and the thought processes and doctrines that govern how we operate.
I’m not going to spend much time here presenting this analogy and how it relates to the Risk Management/InfoSec world.
Watch the video and take a peek at this one excerpt slide below. Think about how we’re structured to do "battle" in our war against the bad guys. As Barnett says, what we need is two armies focused on one victory with a division of assets between them; the Leviathan Force and the SysAdmins:
I suggest that we need to recognize that the goals of these two forces are really diametrically opposed which is why Ops Staff bristle at all the bag-winding policy, procedures and change control while the Managers lament how the young’uns can’t grasp the concepts of diplomacy and managing risk instead of just threats and vulnerabilities.
We need to organize what we do and how we approach the deployment of resources (forces) around this same concept in balance. Yet, most people staff up in order to man a posted headcount as part of some mechanical rhythm that has for so long defined how we "do" InfoSec.
I’m not sure that many people actually have a security strategy that defines a long term achievable objective toward winning the war to achieve peace, but rather keep throwing bodies into the cannon fire as we serially sacrifice combatants as fodder for the sake of fighting.
Some of us actually do organize and hire based upon placing talent that is strategically as well as tactically the right fit for the job. My observation is that in reality, this practice is far and away the result of the lifecycle management aging of an ever-greying combatant force and nothing more…and it’s usually very, very unbalanced.
Instead, how about aiming to consciously build that Leviathan force of tactical soldiers who live, eat and sleep for "combat" (firewall jockeys, IDS/IPS analysts, etc.) and then take the older, wiser and diverse corps (architects, engineers, etc.) and have them deal with the aftermath — as a networking force — in order to maintain "peace" and let the soldiers go off hunting for the next foxhole to jump in.
Granted, we don’t talk offense in the traditional sense of how we play the game
in our profession and it’s a losing proposition because we’re holding
ourselves hostage to a higher standard and a set of rules our enemies
have no intention to play by. We organize inappropriately to repel the
opposing force and wonder why we characterize what we do as a losing
battle.
Now, I’m not outright suggesting that *everyone* run out and deploy first strike
capabilities, but certainly entertain the thought of countermeasures
that are more than a firewall rule and a blacklisted IP address. We can’t win on defense alone. Gulp! There, I said it.
So I’ll ask you again. Watch that video and think about Risk Management/InfoSec instead of traditional warfighting. You’ll laugh, you’ll cry and perhaps you’ll think differently about how you deploy your forces, how you fund your campaigns and ultimately which battles you pick to engage in and how.
"Don’t wage the war if you don’t want to win the peace…"
/Hoff
Recent Comments