Cybersecurity is more warfare than security. At a 3 Tree Tech security event, Michael Meis, Associate CISO of The University of Kansas Health System says if you want to win, you have to think strategically in such a way to conquer you adversary. If you want to learn how to build a cybersecurity team, Meis has a fascinating perspective… from Sun Tzu.
He discusses the evolution of warfare, stating, “we came to this collective realization that we could take things of value from other people by leveraging violence or the threat of violence.” He reflects on the constant state of conflict throughout human history, noting how advancements in warfare technology have shaped modern warfare.
How to build a cybersecurity team ready for war
Meese emphasizes the relevance of historical strategies in contemporary settings. “The preeminent book on warfare strategy was written 7,000 years ago… Sun Tzu’s Art of War.” He suggests applying these age-old strategies to modern cyber defense.
“As we’ve evolved into modern warfare, the idea of victory has become much more nebulous and relative.” He uses the example of America’s involvement in Afghanistan to illustrate the complexities of defining victory in modern conflicts. Instead, he advocates for leaders taking a more active, strategic role. “Set a vision and a mission statement for our security organization,” he says, stressing the importance of discussing “acceptable levels of risk and acceptable levels of loss” with top decision-makers.
It’s best to get everything on the table. Understanding how to build a cybersecurity team starts with realistic expectations, and realistic strategies when you face defeat.
CISOs need to understand revenue cycles.
Perhaps the most compelling thing Meis discusses is how CISOs and CIOs often know less about company revenue than the actual threat actor. “The sad fact is, most security leaders and most security personnel do not know their organization’s revenue cycle,” he says. That’s a problem.
Because cybersecurity professionals can’t tell how money flows through an organization and where it’s going, they can easily be caught off guard. “Do you know who does know our revenue cycle? The actors targeting us,” he says. “They spend about 6 to 12 months on average learning about your organization and specifically learning about your assets and your revenue cycle.”
This allows threat actors to surgically strike against your company with revenue in mind. Money is their goal, and if they hit you when you’re flush with cash, they know you will pay an exorbitant amount of money to get moving again. It’s the ransomware problem in a nutshell.
He also addressed alliances among threat actors, noting that many have backing from nation-states or collaborate in communities, sharing resources and expertise. He contrasts this with the alliances organizations have with their vendors, urging a critical evaluation of these relationships. Meis critiques some vendor partnerships as superficial, emphasizing the need for truly invested allies who contribute to strategic goals like compliance and attack surface reduction. He cautions CISOs to be careful on vendor selection, ensuring alignment with organizational security objectives.
His advice? If you want to understand how to build a cybersecurity team, make sure your team works well and understands your finance people, CFO, and even marketing. “Spend time with your marketing people, and really understand your revenue cycle, so that you can put appropriate protections throughout that entire cycle.
MITRE ATT&CK
Meis also discussed threat actors and their strategies, emphasizing the importance of understanding their capabilities and tactics. He references the MITRE ATT&CK framework, a tool that maps 245 techniques used by threat actors to attack organizations. He advocates for using this framework to identify gaps in defense, highlighting the significance of matching organizational capabilities against these techniques to identify vulnerabilities.
***
Finally, Meis highlighted the need for balanced education in security. “There’s always going to be threats out there. And they are serious. And here’s what we’re doing to address them. Educate. Empower. The entire theme around this is to be light in the middle of the cyber storm.
Justin Kent is Editor in Chief for 3 Tree Tech. His work focuses on how security and CX technology empower leaders to scale faster. He has previously written for The Wall Street Journal, Washington Post, Harvard Business Review and others.