Risk Management & InfoSec Operational Combatants – The Leviathan Force & the SysAdmins…the Real Art of War.
No, this is not some enlightened pithy post heaping praise on a dead Chinese military strategist. Nothing against his Tzu-ness, but I’m just plain tired of this overplayed guidepost for engaging in InfoSec warfare. For God’s sake, I own an iPod. I’m, like, so enlightened, sophisticated and refined. Sun Tzu is so last Wednesday! The closest I come to Chinese philosophy is whether or not to order the Kung Pao chicken or the Pork Lo Mein. Just to get that out of the way…
If you haven’t seen Thomas P.M. Barnett’s talk "The Pentagon’s New Map for War and Peace" from the 2005 TED, you should definitely click here and do so. Barnett is a brilliant and witty international security strategist who offers a unique contrarian perspective on the post-Cold War US military complex that differs quite drastically from the typical long range strategic planners squatting in the Pentagon:
"In this bracingly honest and funny talk, international security strategist Thomas P.M. Barnett outlines a post-Cold War solution for the foundering US military: Break
it in two. He suggests the military re-form into two groups: a
Leviathan force, a small group of young and fierce soldiers capable of
swift and immediate victories; and an internationally supported network
of System Administrators, an older, wiser, more diverse organization
that actually has the diplomacy and power it takes to build and
maintain peace."
What I find amazingly serendipitous about the timing of when I watched Barnett’s presentation is that it rang true with a theme I was mulling on which draws remarkable and absolute parallels to the state and needed resuscitation of how we practically organize the Risk Management and Information Security "combatant" fighting forces in the front lines of corporate America today and the thought processes and doctrines that govern how we operate.
I’m not going to spend much time here presenting this analogy and how it relates to the Risk Management/InfoSec world.
Watch the video and take a peek at this one excerpt slide below. Think about how we’re structured to do "battle" in our war against the bad guys. As Barnett says, what we need is two armies focused on one victory with a division of assets between them; the Leviathan Force and the SysAdmins:
I suggest that we need to recognize that the goals of these two forces are really diametrically opposed which is why Ops Staff bristle at all the bag-winding policy, procedures and change control while the Managers lament how the young’uns can’t grasp the concepts of diplomacy and managing risk instead of just threats and vulnerabilities.
We need to organize what we do and how we approach the deployment of resources (forces) around this same concept in balance. Yet, most people staff up in order to man a posted headcount as part of some mechanical rhythm that has for so long defined how we "do" InfoSec.
I’m not sure that many people actually have a security strategy that defines a long term achievable objective toward winning the war to achieve peace, but rather keep throwing bodies into the cannon fire as we serially sacrifice combatants as fodder for the sake of fighting.
Some of us actually do organize and hire based upon placing talent that is strategically as well as tactically the right fit for the job. My observation is that in reality, this practice is far and away the result of the lifecycle management aging of an ever-greying combatant force and nothing more…and it’s usually very, very unbalanced.
Instead, how about aiming to consciously build that Leviathan force of tactical soldiers who live, eat and sleep for "combat" (firewall jockeys, IDS/IPS analysts, etc.) and then take the older, wiser and diverse corps (architects, engineers, etc.) and have them deal with the aftermath — as a networking force — in order to maintain "peace" and let the soldiers go off hunting for the next foxhole to jump in.
Granted, we don’t talk offense in the traditional sense of how we play the game
in our profession and it’s a losing proposition because we’re holding
ourselves hostage to a higher standard and a set of rules our enemies
have no intention to play by. We organize inappropriately to repel the
opposing force and wonder why we characterize what we do as a losing
battle.
Now, I’m not outright suggesting that *everyone* run out and deploy first strike
capabilities, but certainly entertain the thought of countermeasures
that are more than a firewall rule and a blacklisted IP address. We can’t win on defense alone. Gulp! There, I said it.
So I’ll ask you again. Watch that video and think about Risk Management/InfoSec instead of traditional warfighting. You’ll laugh, you’ll cry and perhaps you’ll think differently about how you deploy your forces, how you fund your campaigns and ultimately which battles you pick to engage in and how.
"Don’t wage the war if you don’t want to win the peace…"
/Hoff
"Don't start nothing, won't be nothing"
The art of war is so last Wednesday – ha! I said the same thing recently
Quoting the Art of War to explain information security principles is like trying improve business management skills by reading Dilbert. In the vendor world it is akin to the circle diagram that explains how the solutions create a closed loop systems for securing the world or something, even though they lack the really key pieces to actually close the loop, anyway I am all for bumper sticker philosophies and love my “Security people do it in private” bumper sticker, and the Art of War is a classic quoted by every security vendor that was around in the late 90’s but seriously it is like playing Stairway to Heaven at Guitar Center.
Yes, Sun Tzu is a hackneyed cliche, and I'm sick to death of having it applied to something it has no relevance to… in fact I seem to remember posting on one "Security Buddha" site recently that Sun Tzu didn't have much in the way of IT to secure, but he seems to have changed his tune. 🙂
Where I really have to disagree is with dissing Led Zeppelin if only in reference, there's nothing wrong with Stairway to Heaven…
Apologies to Mark Curphey for saying it was the "Security Buddha" site, it was of course Amrit's "Tech Buddha" site. I've been reading a lot of Mark recently and it's very good…
I love Led Zeppelin as much as the next guy, I still have my high-school t-shirt collection. The first time I made it to third base Stairway was playing (OK tmi) I was making reference to a common joke about too many guitarist playing Stairway to Heaven – I think in the movie Wayne's World there is a scene in a guitar center where someone starts playing it and the camera then pans o a large sign "No Stairway!"
You two wanna get a room?
Tech Buddah, Security Buddah, Stairway to Heaven…this is getting all religous up in here…
So, what'd ya think of the actual POST!?
/Hoff
I agree, completely and totally. It also comes down to the NIH and "too close to the source" problem that we all see quite often. See, Barnett saw what IT is doing when left to its own devices, and tried to see how it applies to warfare and 4GW in general. And saw that it was good.
InfoSec only sees what military does and tries to apply it to corporate environment, all the time ignoring what progressive stream in military thinking is focusing on – learning from parts of IT that InfoSec ignores. Open source community has been something of a revolution that is now being applied to such diverse industries as advertising, military, scientific research, …
John Robb in his Global Guerillas goes even further, and his lesson is in many ways more applicable to our environment. Systempunkt idea and guerilla warfare are nothing new to us, of course, but it is funny how often people forget to look at the big picture.
You know what your problem is? You think way too rational for this industry. 😉
Oh.
What post? Oh yeah, 'salright I s'pose.
A room with Amrit Williams though? Cracking!
I'll have to bring my Led Zep IV album along by the sounds of things.
Tom around the web
Top billing this week to Tom on Giuliani's FA piece: + tdaxp liked it and linked Sincerely impressed by Giuliani's "Foreign Affairs" piece. + The QandO Blog didn't like it and compared Giuliani's FA piece to Tom's work. + Outside…
I think that there are huge parallels between Barnett's work and Infosec. I went down this particular rabbit hole last year http://1raindrop.typepad.com/1_raindrop/2006/10/d… http://1raindrop.typepad.com/1_raindrop/2006/10/a…
Part of the reason why it is interesting is that in both cases you have generals fighting the last war (poorly). And you have the move mentioned above to decentralization, hard to decentralize a Leviathan. I agree with your implication that we need tiers of security services.
On a semi-related note, Chris Ceppi from Ping Identity, said he thinks "World is Flat" did a better job than almost anything else at making the case for federation.
I remember reading those; I should have recognized/referenced them! You've referenced him a couple of other times, too. He's got a good person working his blog who keeps track of pings as he trackbacked to you and I both…
It's been a while since I read the "World is Flat" and it certainly wasn't within the context of security. I think I'll revisit that.
Hope to see you at the OWASP event.
/Hoff