What Security Says About Teams

Cybersecurity (hence forth, “cyber”) is the art and science of securing and defending assets in cyberspace so that your business can go to market and win. Or, so that your mission can go to the field, succeed, and stay there longer.

I’m continuing from the last newsletter, where I (incorrectly?) asserted that cyber’s use of “security” and secure communications’ use of the word are different. This time, instead of saying they’re different definitions (they frequently are), I’m asking: what if we adopt cyber’s definition and force it to go work for us more broadly. You don’t need to read the last newsletter to understand this one.

Before we explore what cyber says about communications security or secure communications again, let’s see what cyber has to say about our team structure.

Cyber is a function of your business. It’s subordinate to the needs and goals of the mission and it’s a repeatable, persistent part of your work. Pulling from CISA’s mission statement, The Cyber Defense Matrix (“CDM”), and Sounil Yu’s general brilliance: Cyber is comprised of both security and defense because it is concerned with both “left of boom” and “right of boom.” In other words, it’s concerned with prevention (“left of”) of negative events (“boom”) and response to negative events (“right of boom”).
Accordingly, it’s concerned with both managing the structure of your IT environment and the situations that impact it—so called incident response. Situational management, of course, requires people with margin.

Organizations who don’t view cyber as a function of the mission tend to camp in the PROTECT function of the NIST Cybersecurity Framework (see this older article) and focus on cybersecurity as a static condition or point in time (I’m adapting the style of CDM for clarity). At Ericius, we see this all the time.

Viewed this way, cybersecurity only covers about twenty percent of the value it should provide. This static viewpoint and lack of coverage has dire consequences. Most obviously, mistaking PROTECT for whole-functioned cybersecurity ignores emergency preparedness and incident response.

Next, static-cyber leads to a tendency to understaff and under-resource cybersecurity. It not only leads to viewing cybersecurity as a condition that can be purchased and deployed but also results in constrained staffing because situational management isn’t allowed to drive the creation of margin and thereby manpower.

Then, what staff is made available is under skilled, managed with low expectations, and undertrained because they are expected to make sure cybersecurity is properly deployed and not expected to manage emergencies which require professionalism, expertise, and aplomb. Even though there’s no world in which cyber or IT staff will be able to avoid managing emergencies.

Crippled manpower in turn leads to the creation of and overreliance on heroes: people so committed to the mission they would rather die than take defeat. Heroes train themselves, they work long hours regularly and even longer hours during crisis—and then they burn out. Missions who rely on heroes may succeed in the short term, but when the hero burns out and quits, retires, gets hit by a bus, or becomes sick, the mission will suffer. The mission will then struggle to replace the hero because heroes, by definition, are rare. After all, there would be nothing uniquely praiseworthy about a champion if everyone behaved valorously everywhere all the time.

In the traditional domains of air, land, sea, and space this approach to situational management would never fly. In the visceral realm of physical emergencies, missions broadly recognize the need for expertise-driven teams of people available to help in time of need. It is no different in the fifth domain.