Traditionally, tacticians in war have said, “The best defense is a good offense.” However, that statement couldn’t be farther from the truth when it comes to creating a cyberwar defense strategy.
We spoke with Joshua Douglas, Chief Strategy Officer of Cyber Services at Raytheon, to uncover other misconceptions about best practices for an effective cyber defense strategy. Douglas has nearly two decades of experience in helping global enterprises and government agencies secure their most prized business/mission assets.
During his past 11 years at Raytheon, he has served as the CTO for Forcepoint, overseeing Raytheon’s Cyber Security Intelligence Operations, Malware Concepts, Security Infrastructure Operations and Research Technologies tasked to produce effective forward-looking cyber software solutions to contain and control advanced threats.
These solutions are used to help commercial and government entities protect their enterprises and the global cyber supply chain from ever-changing advanced persistent threats and malware.
Christopher P. Skroupa: What are some of the common misconceptions about creating a successful cyber defense strategy?
Joshua Douglas: In short, three words: Culture, Complexity, Commitment.
I believe there are really three major misconceptions when it comes to a cyber defense strategy, centered around what I call the “Three C’s of Cyber: Culture, Complexity and Commitment.” Oddly enough, they have not changed in the last 20 years!
The first, culture. We often focus on what problems we are fighting, not why we are fighting the problems. The biggest threat we face against a successful cyber security strategy is not the bits and bytes we often protect and/or ward off. The truth of the matter is that people often make a cyber security strategy fail.
You must consider how you engage employees to be a part of the cyber security machine, and acquire the right talent to help drive security commitment from the top down. Without it, your cyber security strategy fails even before you execute the plan.
The second, complexity. As security professionals and technology junkies, we always want the shiniest tools to complete the tasks at hand. That means pushing more and more complexity into the environment. The key to a successful strategy is not to increase complexity. Rather, you must enact a plan which allows you to stay on pace with the threat, without expending more resources than the threats you are defending against.
The third, commitment. Creating a cyber security strategy can be as easy as copying one off the web, putting it in a document and sending it to everyone. This does nothing to drive commitment.
There has to be commitment from HR, Legal, Communications, Executive Leadership, etc., to build an effective strategy that can be executed and have a personal impact on every employee. That means cyber security leadership cannot be just security experts, they also have to be teachers and influencers who can explain to everyone why cyber security is important to the company and what value it brings to the roles of the individuals.
Skroupa: What aspect of cyber defense is generally neglected by executives? How should they address these gaps in their strategy?
Douglas: Executives are primarily expected to focus on the business requirements necessary to meet bookings and revenue goals on a daily basis. As a result, they typically do not think past what is required to recover from a breach, nor do they implement effective measures to prevent or decrease them in the first place.
Their focus should be on developing solid incident response plans, determining how effective their cyber security posture truly is using real life scenarios, training their staff to become human security sensors and proactively hunting threat actors.
Skroupa: How can these companies measure the effectiveness of their strategy before a breach occurs?
Douglas: Unfortunately, the only way to know how you would measure up to a breach is to have one and measure your dwell time which is the amount of time from compromise to remediation. Luckily, you can emulate and measure breaches with a “Red Team” engagement. We have found that in our interactions with customers, we get in 100% of the time the first and second time. It is not until the third time do we only get in 50% of the time. That is a scary statistic if you are not measuring your effectiveness.
Skroupa: What can executives learn through examining recent trends in cyber breaches?
Douglas: The most important thing is that attackers are in networks way too long, because people are measuring the wrong things For example, things like firewall blocks and how fast they can send out a ticket vs. measuring dwell time.
Secondly, technology alone is not stopping the threats, as we have seen in a couple of major breaches – they really need to keep it simple and hire the right people. These same companies are doing things like not patching systems, running outdated OSes and not engaging their staff in the cyber security life cycle to combat the human element of cyber security.
If executives want to get ahead of the curve, they need to challenge their security teams on the metrics they use to determine whether it’s just a number or it’s a relevant metric. As leaders, they should be promoting cyber security.
Lastly, they should be validating their security posture with assessments, understanding their current incident response plan and working with their teams to be more proactive in their ability to find threats, instead of just being notified of threats through tools [vs. people].
Prior to joining Raytheon, Douglas had a successful track record in network security operations and engineering management positions, securing enterprise environments while promoting contextual response.
His prior employers include Enterasys Networks, Kronos, Genuity, MIT Lincoln Laboratory and other prominent enterprises. Douglas earned a Bachelor of Science Degree in Computer Science from Appalachian State University and currently holds a number of technical computer and network security certifications.
Joshua Douglas will be a panelist during the opening discussion The Threat Landscape: Latest Trends in Attack Methods and Defense Strategies at the Global Cyber Security Summit in London, UK on October 12-13.
Originally published on Forbes.com. Read Christopher P. Skroupa’s column on Forbes.com.