01 . Juni 2017
Posts nach Autoren: Bryan K. Fite, Account CISO, BT.
Bryan Fite examines the different ways you can make more of that most valuable of assets — people.
As a business, humans can be your biggest asset or your biggest liability — and sometimes they’re both. That’s why, when I’m transforming an organisation’s cyber operations, making human assets more effective is often my primary focus. For this transformation to work, there are three key aspects to bear in mind: simulations, matrices, and organisation.
Success in education, through simulation
My experience has been that simulations are a great way to train and assess cyber operations personnel.
The beauty of using simulations is that you can design them to achieve specific objectives — basic training of initiates, assessing capabilities, effective team building and professional development in a safe, legal and cost effective method. Edutainment, if you will. I’ve published a white paper on the subject, which is available here.
The more immersive and realistic the simulation, the more effective it is as a training and assessment platform. The movie ‘The Matrix’, depicts a simulation so immersive and realistic that its participants do not realise they’re in a simulation. That’s what we’re aiming for.
Simulations, and other forms of edutainment, are a key tool in the fight against cyber crime, and that’s why they play a large role in my job. A major theme of my current research and community outreach is focused on using simulations, games and competitions as a way to train and assess cyber operations personnel. I currently sit on the NICE Competitions Working Group, which promotes the value of competitions. I also play the role of Packet Master in the Cyber Sport called Packetwars™ — a platform I’ve successfully used for almost 20 years to create immersive educational experiences which are both fun and challenging.
The power of the matrix — no, not the movie
An actual matrix (as opposed to the movie) can also be a powerful tool for leveraging your human assets. In its simplest form, a matrix is a two-dimensional array of rows and columns, populated with numbers, symbols or expressions.
Matrices are easily drawn on paper, elegant in their simplicity and incredibly useful. We use them all the time — a spreadsheet is a type of matrix that should be familiar to everyone. The power of the matrix can truly be realised when multiple matrices are linked via a pivot point (aka shared data element).
Like simulations, matrices can also be very ‘human friendly’, especially when analysts need to pivot or otherwise enhance their situational awareness.
Using matrices with the proper contextual data can aid incident responders in developing actionable intelligence. Specialised matrices can also be linked together by one or more data elements, which enables successful collaboration across stakeholder communities. They’re also helpful in regards to Indicators of Compromise (IOCs) — well-understood pivot points for incident responders, forensic personnel and hunters. Once an IOC is identified, analysts can use it to determine things like attack vector, attack target and TTPs (Tactics, Techniques and Procedures).
Once you have an IOC, it’s rather trivial to search for impacted systems elements. It’s those type of connections between matrices we want to exploit. Data that is not properly articulated in a matrix, well understood or available, can never be properly leveraged — so it’s important to get this right.
Why organisation is key
Equally important, and often the thing that makes or breaks human effectiveness, is how humans are organised into groups or ‘tribes’. These organisational entities can also be viewed and described as a matrix.
In many organisations, the ‘matrix’ refers to the hierarchy, culture and organisational constructs, like chain of command, which bind the various stakeholders. I myself operate in a highly matrixed organisation. I interact with many stakeholders, but generally don’t directly manage human assets. In order to ‘lead’ in such an environment, I must influence stakeholders, create compelling business cases and align diverse ‘stakeholders’ across the organisational matrix. I jokingly describe my primary function as ‘herding cats’, which is really concerned with aligning stakeholders and driving meaningful change. This is why I aspire to be a trusted advisor, instead of a ‘boss’.
The benefits if you get it right
In today’s world, a successful CISO must be able to navigate in a highly matrixed organisation. If you don’t have budget or direct managerial control over human assets, you must be able to lead across the matrix.
Through immersive simulations we can train, assess and recruit human assets (aka talent). By optimising the consumption and communication of data across stakeholders, we can facilitate the creation of actionable intelligence and effect positive change. When we think about the different types of matrices, the thread that binds them all is really about human effectiveness.