Prior to becoming a CISO, I served in the California National Guard and U.S. Army as an Information Assurance professional and Brigade Signal Officer. The lessons and experiences that shaped my career were not learned through technical training or through my various technical management roles. Instead the lessons I learned from leading missions in Afghanistan and the basic combat arms knowledge imparted to me when I was a newly minted Lieutenant have been far more impactful on my career as a successful cybersecurity professional.
When I attended Officer Candidate School, I had to learn and understand an important acronym, OAKOC, which stands for Observation and Fields of Fire, Avenues of Approach, Key and Decisive Terrain, Obstacles, and Cover and Concealment. Battles are won or lost over a commander’s understanding of these principles. One such example is the story of an English King and his stunning military victory over a larger and better prepared enemy.
In the fall of 1415, an English army under the Command of Henry V was attempting to withdraw from France having suffered a loss of half of its 11,000 men to disease and battle injuries incurred while laying siege to Harfleur in Normandy. On the march Northeast to rendezvous with his fleet, Henry’s Army was blocked by a mass of 20,000 French Soldiers at Agincourt. His army of archers, men-at-arms and knights were exhausted and greatly outnumbered, and Henry could not take his army back because more French forces would be waiting to his rear. Henry knew his army would not make its way to the rendezvous.
After making an assessment of the enemy and his own forces, he made an observation of the local terrain, then maneuvered his archers into defensive positions along the high ground overlooking the area. Determining his men were ready, Henry engaged the enemy. When the French army advanced they were constrained by the terrain and English defensive positions making it easy for Henry’s archers to act with devastating impact. The French suffered a loss of half of their forces while the English only lost 400 men. It was Henry’s understanding of the terrain, the adversary, and his army that won the day.
How does a battle that took place over 500 years ago relate to today’s Cybersecurity strategies? Simply put, Cyberspace is a modern battlefield and the adversary is leveraging every possible angle to exploit access to an organization’s systems and data. Like Henry V, a CISO must make an assessment of what resources they have available and know the avenues of approach bad actors will use to attack the systems and data they safeguard. Translating Henry’s actions into cybersecurity terms means gaining an understanding of the people, processes, and technologies already in place.
"Obstacles are not going to go away; accepting the organization’s challenges are essential for the CISO’s vision to be transformed into a strategy"
For the past several years, the private and public sectors alike have been somewhat reactionary in the strategies employed to protect systems and data; external factors have been driving procurement and policy more than an internal focus on risk analysis and risk-based decision making. Being forward looking is a luxury most CIOs and CISOs don’t have. Many organizations are in a cycle of playing catch up by patching and protecting against last week’s threat.
How does a CISO get ahead? Taking a moment to assess where the state of the enterprise is from a people, process, and technology standpoint is a good place to start and this is where a lesson from the U.S. Army on OAKOC can be handy for the CISO.
Observation: This means developing an understanding of the infrastructure that houses the organization’s data and systems. This assessment should encompass all devices and solutions connected to and from the enterprise. After assessing the environment, map the business requirements as an overlay to any technical topological representations.
Avenues of Approach: This is simply taking a moment to understand the attack vectors used by bad actors. A current picture of popular attack vectors can be easily obtained through open sources such as CIO Review or subscribing to a cyber threat intelligence service provider. This analysis should also include how the Security Information and Event Monitoring (SIEM) and Governance, Risk and Compliance (GRC) platforms are used to incorporate risk and intelligence information.
For example, patching for WannaCry may still be a known problem. A cyber threat intelligence service provider can provide information on the likelihood this vulnerability will be exploited and feeding vulnerability scanning results into a SIEM or GRC could provide a clearer understanding to the extent vulnerabilities exist on the enterprise.
Key and Decisive Terrain: Take time to study topology diagrams and understand how existing security technologies are employed with reference to Avenues of Approach and look for opportunities to utilize existing technologies in more defensible locations on the Enterprise.
Obstacles: These are typically lack of personnel, employees lacking cybersecurity skillsets, or budgetary constraints. They could also be internal business processes that hamper security efforts. There may even be internal politics such as friction between network operations and security teams. Obstacles are not going to go away; accepting the organization’s challenges are essential for the CISO’s vision to be transformed into a strategy.
Cover: It is definitely in the best interest of a CISO to have cover from the CIO, CEO and the Board. What is meant by cover is support for, and adoption of, cybersecurity policies and budgets which translates to development in people, processes, and technologies. In order to obtain cover from leadership, the CISO must translate existing security concerns into language that conveys the impact on the business including financial, reputational and legal consequences of not mitigating cyber-risks.
King Henry was able to use the concepts behind OAKOC to translate vision into action resulting in a decisive victory. Like Henry V, a CISO can create equally dramatic results by merging vision with these principles to organize existing security efforts into a cohesive strategic plan.