Industry Trends

Cyber Risk Management Lessons from the Battlefield

By General Sir Richard Shirreff | November 22, 2022

There are numerous parallels between the armed forces and cybersecurity. The skills that members of the military use each day—from honing their situational awareness to cultivating superior attention to detail—are equally critical in navigating the constantly evolving threat landscape. And many of these lessons learned on the battlefield can easily be applied by security teams to protect an organization more effectively from cyberattacks.

The Current—and Complex—Cyber Threat Landscape

Complexity isn’t only confined to the military. Like armed forces, the cyber defence community also faces a complex, volatile and often uncertain threat landscape.

Cybercriminals frequently advance their playbooks to sidestep defense mechanisms and scale their operations. The result is that more complex and sophisticated threats are now becoming ubiquitous, and there isn’t an industry that is immune. For example, ransomware attacks continue to become more aggressive, with attackers introducing new strains and updating, enhancing, and reusing old ones. According to the FortiGuard Labs 1H 2022 Threat Landscape report, the team identified 10,666 new ransomware variants in this timeframe, compared to just 5,400 in 2H 2021. Even attack surfaces such as edge devices and Operational Technology (OT) that were once less popular among attackers are increasingly becoming attractive targets.

To adequately defend organizations from cyberthreats, security teams first need a clear picture of their environment and the external factors—such as regulatory requirements—that impact the technologies they procure and the processes they implement. CISOs and their teams must also build resilience, which requires them to assess their risk level regularly and ensure they have the appropriate mitigation strategies.

Building Resilience Requires Understanding the Connection Between Risk and Strategy

Building resilience against complex and uncertain business environments requires understanding the link between risk and strategy. This means understanding the risks your organization faces and designing effective strategy to manage them.

Risk identification and assessment are two of the most crucial components of risk management, whether you’re on the battlefield or protecting your IT environment. Risks associated with cybersecurity are constantly changing. For example, changing company procedures or introducing new technology can significantly alter your enterprise’s risks. Take these opportunities to adjust your organization's general risk assessment accordingly. To ensure effective security, procedures must be continuously assessed for deficiencies—and improved. Risk assessments are also critical because they provide you with information about where vulnerabilities currently exist and which threats are on the horizon.

Organizations of all shapes and sizes should emulate the military when gathering intelligence. Gathering and reviewing threat intelligence regularly is another vital part of understanding your risk and the potential incidents that could impact your organization, and today it’s more important than ever.

Only after understanding what your enterprise is facing will you be able to create an effective plan to stay ahead of your adversaries. In addition to gathering threat intelligence, it's essential to develop a method for analyzing the data from specific sources and a mechanism for applying the tactical intelligence gained from the analysis.

However, while assessing risks and creating a plan to mitigate them are undoubtedly essential components of building a strong security posture, the strategy planning itself—the war gaming and stress testing—is perhaps the most crucial piece of the process. 

Planning (and Testing) is Everything

As former United States President Dwight D. Eisenhower stated, "In preparing for battle, I have always found that plans are useless, but planning is indispensable."

Testing your plan helps your team identify and understand areas of risk you still need to consider, and also highlights what parts of your plan work well and which could benefit from additional adjustments. This is also the ideal time to ask "What if?" questions and work through different scenarios. By identifying multiple risk scenarios and playing them out as a team in a safe to fail environment, your analysts will know how to respond when an incident does occur.

Beyond involving your own team in planning and testing exercises, make sure you also include other stakeholders in your organization who need to be involved in the response to a cyber incident. While these stakeholders might not be on the front lines of triaging an incident, consider who else at your company may need to take action related to a breach. This might include teams such as public relations and marketing, legal, and human resources.

The Many Synergies Between Military Service and Cybersecurity

There are many parallels between military service and cybersecurity. These similarities can be used not just to assess risk or create a strong security strategy; they can also help address the ongoing cybersecurity talent shortage. As you look to hire new talent, consider recruiting from programs that specifically prepare military veterans for new roles in cybersecurity.

Military veterans are natural problem-solvers who understand the importance of maintaining a strong defense posture and following the chain of command when dealing with an active threat. Today’s military is also highly technical. Many of these individuals were trained to use some of the most sophisticated technologies running on some of the most highly targeted networks in the world. As a result, their situational, hands-on experience translates easily to the cybersecurity battleground.

Learn more about our Public Sector Advisory Council (PSAC) members and how they’re helping Fortinet further guide public sector organizations through their evolving security challenges.