This is the second in a series of three articles on by John Myers discussing ideas from the start-up world that may be useful in a military context. The first article can be found here.
The first installment of this series drew upon a start-up perspective to discuss the importance of an experienced cadre in establishing a new cyber organization and its culture, particularly as it might apply to a military context. It addressed the kind of characteristics I personally look for in hiring members of start-ups I am involved with and bridged that to examine how the military approached building its cyber operations organizations. In particular, individuals with a great deal of expertise and who have an intrinsic passion for cyber operations are vital to laying an organization’s initial foundation. This highly talented and motivated initial cadre will eventually recruit, train, and grow more junior personnel as the program expands. In the end, I highlighted how in its rush to build a large scale cyber force, the military fell short in this critical task, funneling hundreds of personnel through basic cyber training without experienced leadership to lead the newly minted cyber force once their training is complete.
In this article, I will further explore how forward-leaning technology companies benefit in recruiting highly talented, self-driven individuals as initial cadre. To provide detail on how this applies to cyber security in particular, I will draw on examples from a variety of technology companies I have worked and spoken with during my time as a start-up Chief Technology Officer.
First, it is important to note that the environments these professionals are charged to defend are highly contextual, built specifically to serve the mission of their companies. Because of this, cyber security operations need to follow suit and the professionals hired to do this are responsible for many facets of the security program. Cyber professionals that are charged with security of highly contextual environments require in-depth knowledge of the technologies used to actually build the systems they are defending. This is a recurring theme found across many of the personnel that work for high-tech companies. Many, if not most, of the individuals that are now senior cyber professionals crossed into cyber from other fields such as software engineering, electrical engineering, computer science, and systems engineering. Security became a necessity through the development of complex environments that drive today’s most sophisticated companies. The experience gained from previous concentrations gave these individuals a distinct advantage and postured them to understand the mission systems they are defending and provided them the skills necessary to create highly tailored security mechanisms.
The initial cadre, for the more advanced commercial companies, is comprised of renaissance men and women who do not operate within a specific set of job duties and guidelines. They are researchers, planners, engineers, and operators, working across multiple aspects of cyber operations. As more junior personnel are hired, they work within one of these components to start, but are grown to take on increasing breadth, eventually reaching the experience of the initial cadre .
The basis for this cultural paradigm begins with how personnel are integrated into the companies at the beginning of their careers. For example, at Netflix, cyber security falls under production and reports to the Vice President of Engineering. In other words, cyber security reports to the entity that makes it possible for you to watch your favorite movie or binge on your favorite TV show. In military terms, cybersecurity reports to the mission owner. Further, while Netflix still has a corporate environment, they do not separate corporate security to avoid duplication of work. So, the mission owner oversees security for the entire company.
At Ionic Security, a provider of Data Loss Prevention products, Chief Information Security Officer Steve Pugh explains, “Our cyber professionals are deeply aligned with the company’s mission. I don’t think you can be an effective employee unless you know exactly what the company is trying to accomplish.” Ionic maintains a portfolio of security programs, each one tailored to a specific pillar of operations, but controlled by a single entity. Steve explains that “the reason we took this approach is for consistency of application, adherence to a single cybersecurity strategy, and because cyber security is a single thread through every business unit.”
When security reports to the mission owner, a unique requirement is generated: security personnel not only have to have deep understanding of security, but deep understanding of the mission itself as well as the systems and processes used to execute the mission. By being placed directly in the organizations that conduct the core operations of the company, security personnel explicitly have to understand how that mission gets done. It is part of their job description, they are part of operations, there is no way around it. The need for having both breadth and depth of knowledge across multiple domains then implicitly creates the need for an organization to hire “best of breed” personnel to stand up and run security operations.
During conversations with a variety of commercial security experts, it is quickly obvious how much these professionals know about the internal workings, processes, and mission of the company they aim to protect. They do not think a “network is just a network,” they understand and believe in their company’s mission and build security programs that fit and advance their organization’s mission.
This mission-focused integration segues into the understanding that cyber security needs to be custom built for the environment that is being defended. This is done to various degrees depending on the preference and needs of the company. Netflix built their own internal automated incident response platform called FIDO. This platform mostly integrates with Application Programming Interfaces (APIs) of commercial products, helping to drastically reduce the amount of time and personnel needed to conduct security operations. A “by environment” approach is a generally accepted practice by many commercial companies. Certain environments are created for certain reasons, and each one has its own security profile that comes with the appropriate technology and processes to defend it. This type of approach is slowly being adopted by the military, at least conceptually, at this point. Units like Cyber Protection Teams (CPTs) are supposed to be doing this type of mission, yet there are still heated debates about what a “standard” CPT toolkit is supposed to look like for unique environments. CPT toolkits should be created based on the type of environment being defended, not a “one size fits all” approach.
There is no shortage of examples of forward leaning companies building custom technology. Some are even going the extra mile to make their solutions open source and publicly available. Yelp, Netflix, Etsy, and Airbnb are just a few examples of companies that have made a point to employ the best practitioners to build a defensive environment that makes sense for the company’s mission. One financial technology company based in California has completely built their own platform from the ground up. They use only a couple of standard commercial tools, but have gone to great efforts to build solutions that seamlessly integrate with the production environment they are defending. The practitioners are experts that build and operate their security technology from the ground up, training new entrants to the field to eventually have the same level of talent.
I cannot emphasize enough the importance that the best companies put on a core set of cyber experts to build their programs. This core cadre does many of the functions mentioned above by themselves initially. They then recruit and train junior personnel in specific job functions with the long-term goal of creating renaissance men and women with greater breadth. As mentioned above, in order to build this core set of cyber experts, companies have to recruit and attract “best of breed” talent, which is non-trivial. Companies that do it well take a different approach; they pitch a culture that gives their employees freedom to execute and take a very hands-on, interactive approach to solving cyber and security problems. Cyber professionals for top companies are given the opportunity to take an educational and product approach to operations. They are able to research, test, and educate themselves on new topics in security, rather than just having to apply canned solution that they are familiar with from training or previous experience. The opportunity to integrate deeply with mission owners further attracts talent as this type of individual is often looking for educational opportunities within their career. Learning how a company conducts its mission fulfills that desire and creates an attractive challenge.
Companies with successful cyber programs understand that the domain of cyber is one of continuing education and not something you can necessarily train into expertise. Individuals are encouraged to participate in conferences through speaking and writing, contribute to open source projects, etc. Employment of cyber capabilities is often done through the lens of building product; not by bolting on “out of the box” tools or hacking together inelegant solutions that no one can figure out how to use. Security personnel are encouraged and expected to ask many questions and learn a lot about how the mission gets done, understand mission owner system requirements and concerns, research the threat landscape, and build security products and solutions that fit the mission.
Complicating this for the military is leadership that believes the Defense Industrial Base (DIB) should exclusively build and provide cyber capabilities separate from the operators themselves. While I can understand why one might think this way based on how large weapons systems are procured, this mindset is diametrically opposed to that of the best organizations conducting defensive cyber operations. Forward leaning companies build defensive capabilities that operate in an artificial, technical environment they constructed themselves, so their cyber operations within these environments must follow suit.
The answer to the “DIB vs home grown” debate probably lies somewhere in the middle. Large companies like Palo Alto Networks and Symantec, two of the most popular vendors, provide context-less capabilities, where their products do not have any “knowledge” of a company’s production environment, that many forward leaning companies use. However, commercial companies still create other custom capabilities that integrate deeply with vendor platforms to ensure a tailored approach to security is possible. Senior cyber personnel should determine the actual required mix of DIB vs “home grown” after significant amounts of interaction and research with military mission owners. The right mix will be specific to each environment and mission. Similar to how top commercial companies execute cyber operations, the military should take a very deliberate approach that enables their cyber corps to integrate with the mission owners, understand the space, have freedom to educate themselves on external threats, and plan and procure accordingly.
In summary, the key takeaways from observing commercial companies are:
- Cyber personnel must have a deep understanding of the company’s mission, processes, and that they are part of the culture
- Cyber personnel, specifically the senior and core cadre, must be capable of and encouraged to research, build, and operate capabilities designed specifically for the environment they are defending
- Senior Cyber personnel have a hand in recruiting and training junior personnel, moving them from “depth” to “breadth”, because stovepiping is not a recipe for success in cyber operations
So, looking forward, how does an organization actually organize the type of talent needed to create and foster an excellent cyber operations program? What is the job description for an individual that has both breadth and depth of understanding across many technical fields and security? And finally, what type of person has can integrate deeply with mission owners to develop a strong, trusting relationship?
The commercial sector has started to organize all of these traits into a role known as the security architect. The security architect, in many organizations, is often the epicenter of research, engineering & development, operations, and engagement with the adversary. In my final post, I will offer some suggestions the military could adopt, structured around this concept of a security architect, to create highly customized but flexible solutions that integrate with the mission owner’s needs.
John Myers is the co-founder and Chief Technical Officer of Efflux Systems, a cybersecurity startup. Previous to this, John served in the US Air Force as a Cyberspace Operations Officer. While on active duty, he led large scale cyber training, operations, planning, and exercises. He is also a graduate of the Department of Defense’s premier cyber operations development program: the Computer Network Operations Development Program.
Disclaimer: The views expressed are those of the author and do not necessarily reflect the official policy or position of the Department of Defense or the U.S. Government.