The Inversion Approach to Cyber Strategy
The security operations leader burst into the CISO’s office and exclaimed, “we’ve been hit!”
The latest malware variant was spreading liking digital wildfire across corporate systems, disabling critical business processes at a rapid clip. Despite the recent upgrades in human talent and toolsets, the security program is now experiencing its third major (gut-wrenching) incident in 18 months. The CISO clenches her fist, as her pulse rises and panic sets in. She knows her next call is to the CEO…
Situations like this are incredibly disturbing. In a world where we know this type of impactful scenario exists, organizations of all shapes and sizes are still consistently failing in preventing such incidents.
Why is that?
Everything eventually filters down to execution, but good cyber security starts with healthy strategy. While I’m the first to admit that “strategy” can mean lots of things to different people, what worries me the most is that too many security programs have very little of it. And when they do, it’s guided often solely by an ideal (e.g., minimize attack surface, have robust detection capability).
Ideals are useful, don’t get me wrong. They provide directional guidance and inspiration on how things ought to be. However, ideals limit our thinking, creating two specific problems:
1) There’s no destination: As Dan Sullivan says, ideals are like the horizon; something you can walk toward but never reach. It’s impossible to measure progress against an ideal. In this sense, you’re always stuck sensing your “gap”, not your “gain”.
2) Drives ignorance: When we strategize based solely on the ideal, we define our intended outcome and devise a critical path to get there, wholly ignoring things that could — and likely will — go wrong.
Building strategy through inverse thinking
Ryan Holiday shows us how, dating back thousands of years, the great Stoic philosophers like Seneca, Marcus Aurelius, and Epictetus practiced and preached premeditatio malorum (premeditation of evils). In this sense, a person with an intended outcome (strategy) would, at the outset, take time to identify all the ways that the opposite could happen. Back in the day, a ship captain seeking to cross a major ocean would need to think through all the challenges he’d likely face, and plan contingencies (e.g., type of crew, rations, spare parts) accordingly. James Clear gives this concept a catchy, modern name: “inversion” thinking. In summary, this is the ability to think backward from the intended outcome, and shine a light on all of the potential roadblocks.
As an example for the cyber security realm, a leader might have great aspirations for a highly-automated operations center, and make discrete plans for that. But the next crucial step that the leader should take before embarking is to employ inversion thinking and picture exactly how:
…the existing talent base is insufficient
…the organization will fail to acquire and/or tune the new technology
…existing manual processes won’t work in the new automated environment
…stakeholders will resist adoption of this new construct
A great way to illuminate these potential failures is to use design thinking techniques, where the intent is to free the mind of existing constraints and have a group of individuals deliberate on what’s possible. In this case, they’d be looking at how to implement cyber security from two opposite perspectives: imagining a 100% success scenario and a 100% failure scenario. Those insights, thoughtfully blended together, bring extreme value in setting a cyber strategy.
By thinking the problem “back and forth”, equally analyzing scenarios of success and failure at once, you’ll have the fuel you need for the right strategy, and eventually the right execution. As counterintuitive as it might feel, viscerally envisioning what it would look and feel like to experience utter failure is one of the greatest accelerants of success.
Downstream, as the program matures, engraining this type of thinking into the culture early on will provide continued benefits. You’ll be able to systematically derive lessons learned from the environment, whether that be from live incidents or exercises (e.g., red teaming, wargaming). Inversion thinking is powerful.
We have an important mindset issue to treat in the cyber security community. I genuinely feel that infusing more “art” to balance out traditional “science”-heavy approaches will go a long way in making this a safer and more prosperous world. I hope this small idea spurs some new thinking and action for you.
Want to stay in touch? Please follow me on LinkedIn, Twitter, and Medium.
