One of the biggest threats to all organizations today — from the financial sector to schools to startups — comes from state-backed cyberattacks, mainly from Russia and China. With their increasing use of supply-chain attacks, where an attack on one organization can ultimately affect thousands of others, these state-backed groups are an existential threat to all businesses, even those that don’t view themselves as having great national or economic importance.
Dealing with these threats requires a shift in mindset; mainly cybersecurity departments must think beyond solutions and tools, and concentrate on people and processes, taking a couple of key lessons from the military sector. By now it should be clear that technology and tools –though helpful in the right hands — are not enough to protect organizations, especially when it comes to state-backed attacks.
After all, global spending and investment for cybersecurity solutions is growing at a rapid rate, yet attacks are, too. This frustrating situation stems partly from the fact that the tools defenders use are public, and can be purchased and tested by hackers, making many ineffective.
Seek Out and Elevate People with Military and Government Experience
When shifting the focus to people and processes, one of the most important things organizations can do is to make sure that their cybersecurity units, whether internal or hired externally to deal with incidents, include professionals with military, government, or state-level cybersecurity experience. The same advice goes for companies that make or administer cyber security solutions, such as SaaS platforms. There should be a balanced combination of appropriate human talent and technology.
Military and government experiences are key to achieving this; and give these companies and professionals the skills needed to help understand, detect, and respond to threats from state-backed actors. State-backed actors differ from criminal hackers in that they often play a long game, spending years collecting intelligence and finding vulnerabilities before striking. And, they are not motivated by quick money. They are well-funded and looking to cause long-term damage and chaos.
I see the importance of military backgrounds in cybersecurity every day in Israel, where there is mandatory military service and therefore a large number of veterans entering the workforce each year. This experience has been a crucial factor in the success of the country’s cyber industry.
While it is true that most other countries, without mandatory military service, do not have such a proportionally large pool of talent coming out of their armed services, they can still maximize and encourage those who do have this background. Those with military or government backgrounds should lead units and projects, and they should be encouraged to pass their skills and insights on to others around them. This also is something that is happening in Israel, where even those who haven’t served in the military are constantly learning on the job from those who did, further strengthening the growing sector. Once military experience is given the proper priority in any organization or company, there will be a valuable trickle-down effect through the rest of the workforce.
Organize and Delegate Tasks
In addition to the proper talents, each cybersecurity team and each person needs to have specific tasks and goals. This is one of the key ways that militaries approach missions, and cybersecurity departments can partially adopt this approach. It should not be that everyone does a bit of everything, as often happens, at least in my experience. Companies often do this to save money, or because they believe that tools, rather than people, can carry out some of the tasks, making it irrelevant which individuals fulfill which roles.
In general, there should be specific steps assigned to each group or each individual, with those tasks being coordinated and carried out in a certain order. This is especially true when it comes to digital forensics and incident response. Just as attackers often follow a well-ordered set of steps, as famously outlined by Lockheed Martin’s Cyber Killchain, those responding to cyberthreats need to adopt the same organized mindset, working through a list of tasks, each assigned to specific people. Moreover, each person on the team should focus on the tasks they are best at, maximizing the team’s capabilities. After all, many of the tasks are professions on their own and should be treated that way.
At the end of the day — or of an incident response — a security team is only as good as its people and its processes. The good news is that these are both factors that organizations can control, in who they hire and in how they work. It is these factors, more than tools or any upcoming regulations, that will determine which organizations are able to fight the cyberwar successfully, turning this existential threat into one they can mitigate and manage.