2. Rapid decision cycles
Not only is cyber security a complex problem, it is also an adaptive problem that undergoes change over time. This is due to the fact that organisations react to every action an adversary takes. This in turn triggers the adversary to have a subsequent reaction.
As this sequence continues over time, it eventually leads to an evolution in the threat problem.
This becomes clear when taking a longer-term perspective. Cyber threats in the 1990s were quite different to today. It is clear they have gone through a series of evolutions over time.
The challenge is identifying what drives the speed of that adaptive evolution. Speed is driven by decision cycles. The larger the organisation, the longer the decision cycle.
For example, if an organisation was considering a new security strategy, or implementing new security controls, there would likely be a number of lengthy stages. Firstly, the board would need to set the risk appetite and provide strategic guidance. Executives would then begin looking at implementation options. Risk managers may be brought in to analyse the options before a business case could be developed. This would generally trigger a decision to make some strategic commitment or investment, which in turn requires resource allocation. This may require contract management and project management. Only at this stage would the organisation get around to implementation, which should then be followed after a period of time by reviews to determine the utility and efficacy of the initiative.
As you can see, this is a very long cycle that may take months or years to implement, refine and optimise.
By contrast, adaptive adversaries can operate according to much shorter cycles.
This short cycle is often characterised as the OODA loop:
With far fewer stages than a large organisation’s decision-making cycle, the OODA loop allows adversaries to move much faster.
Businesses traditionally operate according to 12-month cycles. By contrast, cyber adversaries tend to be far more responsive to changing circumstances thanks to their ability to make decisions on a daily or weekly basis.
Despite being larger and having significantly more resources, it is all but impossible to effectively battle adversaries with short decision-making cycles that fit within the large organisation’s long decision-making cycle.
The challenge for any large organisation is to find ways to react or evolve much more quickly. When a large organisation evolves slowly, it is likely to be vulnerable to a range of compromise events or breaches by adaptable adversaries.
Larger organisations must find ways to evolve at the same speed, or preferably slightly faster, than their attackers. Rather than maintaining rigid 12-month plans, daily or weekly decision-making cycles that facilitate rapid responses to constantly changing threat landscapes is preferable.
Having said that, it is also important that large organisations do not evolve too quickly, which indicates an over-investment that isn’t sustainable in the long term.