Force multipliers - What security & risk professionals can learn from special forces
S&R professionals need to look for force multiplier opportunities within their organisations.
Published 17:03, 28 February 12
- SaaS & Managed Services - Outsourcing tactical capabilities that aren’t strategic to your information security organisation can serve as a force multiplier. You can leverage the expertise of third parties, while focusing your effort and resources on accomplishing the mission of your business.
- Intelligence - Without actionable intelligence many SF missions would fail or perhaps not occur at all. In the book, Ambinder uses the term “persistent surveillance,” and there is a direct corollary for enterprises. “Persistent surveillance” =
Network Analysis and Visibility. We all know that our preventive controls will fail, and NAV provides situational awareness of our environment that is our best strategy for detecting asymmetric threats to the organisation.
- Fusion Centres - Military organisations are large bureaucracies that often don’t move quickly enough to respond to the constantly changing threat landscape. “Institutional friction” is the term used to describe this in the book. As a result, JSOC has created Fusion Centres that have representation across the spectrum of the government, intelligence, and the military.
- These Fusion Centres share intelligence and enable JSOC to quickly cut through the bureaucracy to make decisions. Enterprises should have their own equivalent of Fusion Centres; cross-functional teams with leadership support that enable the business to make appropriate decisions in a timely manner.
- Education & Training - SF units operate at an extremely high level of operational readiness, and must be prepared for the latest threats. When they aren’t deployed these units are constantly doing real world training to stay sharp and add new capabilities. Of course we don’t share SF's unlimited black budgets, but your organisation must focus on educating and training your team as well. To stay abreast of the latest hacking techniques, send your team members to annual information security conferences such as Black Hat, Derbycon, Toorcon. Also budget for indepth technical education on strategic security skillsets such as application security and IAM. Since budget is a challenge, you should also take advantage of free training at OWASP and B-Sides events.